View Categories

Authentication for Captive & Self-Service Portal

SAML 2 can be configured for both Admin Portal and Self Service (Captive Portal and/or Self Service Portal). This document describes the SAML configuration for Captive-/Self Service Portal.

 

Authentication flow overview #

 

 

The SAML authentication flow for Captive-/Self Service consists of the following steps:

  • The user initiates a Service Provider (SP) Initiated flow which redirects the user to the Identity Provider Single Sign-On URL.
  • The idP parses the SAML request and authenticates the user. Once the user is authenticated, the idP generates a SAML response.
  • The idP returns the encoded SAML response to the browser.
  • The browser sends the SAML response to Netgraph Connect for verification.
  • If the verification is successful, Netgraph Connect will perform user authorization depending on the matching Sign In – Access Policy.
    • If the user is authenticating for internet access via the Captive Portal, the SAML Provisioning Role must be enabled in the matching Access Policy.
    • If the user is authenticating for the Self Service Portal, Self Service Access must be enabled in the matching Access Policy.

 

Configuration #

The following configuration steps need to be performed in order to enable SAML authentication for Captive-/Self Service Portals.

  • Configure a new idP with the Self Service target
  • Configure Walled Garden for Captive Portal
  • Create/update an Access Policy and enable SAML Provisioning Role
  • Configure the SAML Provisioning Access Settings
  • Enable SAML as an Active Login Option
  • Done

 

1. Configure a new idP with the Self Service target. #
  • In the side menu, Organization / SAML SSO click Add SSO Identity Provider
  • Enter a Descriptive name for the provider, e.g. ‘Guest WiFi Azure’ and click Add Identity Provider
  • Select ‘Self Service’ as Authentication Target
  • By checking the Display Login Button and entering the button text, users will be able to sign in to the Self Service Portal via SSO. Remember to enable Self Service Access in the corresponding Access Policy.

 

 

  • Please note the Service Provider Recipient URL (above), it’s a unique identifier that is needed when configuring your idP in the next step.

  • Configure the Identity Provider Details for your Service Provider. Below are a few examples of how to set up your Identity Provider for:

  • In the Identity Provider Single Sign-On URL field, enter the appropriate value from your idP (step 6).

  • In the Identity Provider Issuer field, enter the appropriate value from your idP (step 6).

  • In X.509 Certificate field, enter the appropriate value from your idP (step 6).

  • Click Update Identity Provider

  • Done

 

2. Configure Walled Garden for Captive Portal #

Since the authentication is performed “externally” by the idP, certain domains need to be accessible to the client prior to authentication.

The walled garden functionality allows you to allow access for clients to a specific set of hostnames prior to authentication.

Depending on your idP, different domains need to be added to the walled garden. Please refer to your specific idP for the latest information but below are the recommended domains for the most common idPs:

Microsoft Azure:

  • login.microsoftonline.com
  • myapps.microsoft.com
  • account.live.com
  • aadcdn.msauth.net
  • aadcdn.msftauth.net
  • account.activedirectory.windowsazure.com

Google:

  • accounts.google.com
  • accounts.google.se (where .se is country-specific and depends on your organization, multiple entries may have to be added)
  • fonts.gstatic.com
  • ssl.gstatic.com
  • lh3.googleusercontent.com
  • accounts.youtube.com

Okta:

  • login.okta.com
  • ok12static.oktacdn.com
  • your-organization-domain.okta.com (where your-organization-domain is specific for your organization)

Auth0:

  • auth0.auth0.com
  • cdn.auth0.com

Now that you know which hostnames need to be added to your walled garden, it’s time to configure it. Depending on your service setup this is done in two different ways.

  1. If you are using Meraki, then you need to configure Meraki Walled Garden.
  2. If you are using a Service Gateway, then you need to Configure Service gateway Walled Garden as described in Sign In – Common Settings.

And of course, if you are using a mixed setup with both Service Gateway and Meraki, you need to do both.

Note: Please note that there may be a few minutes delay before the walled garden settings take affect.

 

3. Create/update an Access Policy and enable SAML Provisioning Role #

Navigate to Sign In Administration / Access Policies

Create or update the Access Policy that will enable users to authenticate via SAML.

 

 

4. Configure the SAML Provisioning Access Settings #

Configure the SAML Provisioning Access Settings

 

5. Enable SAML as an Active Authentication Method #

Enable SAML as an Active Sign In method on the Captive Portal

 

6. (Optional) Disable Multi-factor authentication (MFA) for Captive Portal logins #

MFA is great and highly recommended for securing sensitive resources. There are, however, some cases where MFA may cause challenges to the end user. One such case can be dealing with MFA while signing in via the Wi-Fi Captive Portal login dialog. The reason is the state of the Captive Portal itself where many devices don’t allow any multitasking while in the “captive state”. This makes it impossible to open other applications, such as Microsoft Authenticator or 1Password while logging in via the captive portal.

One solution is to prevent MFA to occur for Captive Portal Logins. This is configured with your Identity Provider and an example of how it can be done in Microsoft Azure AD using Conditional Access Policies is described in this article.

 

7. Done #

Users are now able to authenticate via SAML

Netgraph
Powered by  GDPR Cookie Compliance
Cookie Overview

What are cookies?

Cookies are small text files consisting of letters and numbers. These are sent from Netgraph Sverige AB or our partners' web servers and stored on your device (for example, computer or mobile). They can be stored in two different ways.

Session cookies are temporary cookies that disappear when you close your browser or app.
Persistent cookies are cookies that remain on your computer until you delete them or until they expire.

Different types of cookies

Both our website and others, such as Facebook or Google, may place cookies on your computer when you visit this website. Cookies from the website you are visiting are called first-party cookies and cookies from other websites are called third-party cookies.

Other files, similar to cookies, are web beacons and similar technologies. Web beacons are small transparent graphic images that may be contained in emails we send to you.

Why do we use cookies?

We use cookies to make your visit to our website as enjoyable as possible, and to improve it even more. However, we do not store IP numbers or similar personal data about you.

Functionality cookies improve your experience

We store cookies about the pages you have visited to make your experience on our website as smooth as possible. For example, we can prevent you from seeing a pop-up window more than once.

Analytics cookies help us to make our website better

We use cookies to collect aggregate analytical information about how you use the site, such as statistics on our most popular pages. With the information we get, we can improve our web and our offers.

Deleting cookies

Your browser or device usually allows you to set which cookies can be stored on your computer. For example, you can choose to block all cookies, only accept cookies from the website you are visiting or delete all cookies when you close your browser. Look under Settings.

Questions?

Do you have any questions about how we use cookies? You can always reach Netgraph Sverige AB's data protection officer at info@netgraph.se

This information was updated on August 26, 2024.