Step-by-step instructions to set up a SAML authentication for your Visitors located in (APAC, Australia) with Cloudi-Fi and Azure.
Use case
The following sections will provide step-by-step instructions to SAML authentication for your Visitors with Cloudi-Fi and Azure.
Prerequisites
Captive portal
Before starting the configuration, please make sure your captive portal can support "SAML Alternative authentication". If "Corporate Access" section is not available in your existing captive portal, please contact your Support team to update your captive portal (see How to contact your support?)
Walled garden
Be sure to add the following AzureAD domains listed in Set up a walled garden for your captive portal
Warning: for Zscaler do not add the * as it does not recognise this character
SAML URLs
Linkback URL
https://login-cn.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml_alt/************
***** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account).
Cloudi-Fi Entity ID
https://login-alt-cn.cloudi-fi.net/
1. Create Azure AD SAML app
From AzureAd UI, click on "Enterprise applications" and add a new application
Then, search for Microsoft Entra SAML Toolkit, and create it after giving it an explicit name (e.g. Cloudi-Fi Guest SAML)
Go to AzureAd UI > Enterprise Applications > Your Application (create in Step 1: Create Azure AD SAML app) > Single sign-on > (2) Attributes & Claims and collect the following URL
- emailaddress
- givenname
Go to AzureAd UI > Enterprise Applications > Your Application (create in Step 1: Create Azure AD SAML app) > Single sign-on > (3) SAML Certificates and download Certificate (Base64)
Go to AzureAd UI > Enterprise Applications > Your Application (create in Step 1: Create Azure AD SAML app) > Single sign-on > (4) Set up Your Application and collect the following URL
- Login URL
- Microsoft Entra Identifier
- Logout URL
2. Configure Single Sign-On
To start step 2, make ensure you have all of these information
Attributes | Details |
Linkback URL |
https://login-cn.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml_alt/******** |
Cloudi-Fi Entity ID |
https://login-atl-cn.cloudi-fi.net/ |
Login URL |
https://login.microsoftonline.com/*********/saml2 |
Microsoft Entra Identifier |
https://sts.windows.net/*********/ |
Logout URL |
https://login.microsoftonline.com/***********/saml2 |
Certificate (Base64) | |
Email_address Claims |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
Given_name Claims |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
2.1. On Set up Single Sign-On with SAML Page
Go to AzureAd UI > Enterprise Applications > Your Application (create in Step 1: Create Azure AD SAML app) > Single sign-on > Basic SAML Configuration
- Identifier (Entity ID): Cloudi-Fi Entity ID (see SAML URLs )
- Reply URL (Assertion Consumer Service URL): Linkback URL (see SAML URLs )
- Sign on URL: Cloudi-Fi Entity ID (see SAML URLs )
2.2. On Cloudi-Fi Side
Go to Cloudi-Fi Admin UI > Configuration > Auth modes > SAML Alternative and enter the values for the following fields :
-
IdP EntityId: Microsoft Entra Identifier (see Step 1: Create Azure AD SAML app)
-
Binding Method: POST
-
IdP Endpoint: Login URL (see Step 1: Create Azure AD SAML app)
-
Logout Binding Method (optional): POST
-
Logout Endpoint: Logout URL (see Step 1: Create Azure AD SAML app)
-
IdP Signing Certificate (x509 format): Past the content of Certificate (Base64) (see Step 1: Create Azure AD SAML app) without the "Begin Certificate" and "End certificate" markers
- Email attribute name: emailaddress (see Step 1: Create Azure AD SAML app)
- Fullname Attribute (Optional): givenname (see Step 1: Create Azure AD SAML app)
3. Set your Visitor_profile (Optional)
Option 1: Default
By default, Cloudi-Fi will assign the "Guest" profile (see Cloudi-Fi Admin UI > Users > Profiles) for all new Visitors using "Corporate Access"
Option 2
If you want to create a Specific Visitor_Profile for users using "Corporate Access", go to Cloudi-Fi Admin UI > Users > Profiles and create a new profiles (e.g. SAML)
Then, go to Cloudi-Fi Admin UI > Configuration > Auth modes > SAML and set
Custom Profile: the profile Previously created (e.g. SAML)
Option 3
If you want to assign a Visitor_Profile based on the Azure AD group to which they belong, go to AzureAd UI > Enterprise Applications > Your Application (create in Step 1: Create Azure AD SAML app) > Single sign-on > (2) Attributes & Claims and create an Additional claims.
- Name (e.g. profile)
- Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
In the Claim conditions, create as many profiles as you need to allow on the Cloudi-Fi interface
- User type: Members or Any
- Scoped Groups: Select the Groups allowed to have access to Cloudi-Fi Admin Console
- Source: Attribute
- Value: Profile value (Profile name define in Cloudi-Fi Admin UI > Users > Profiles)
Then, go to Cloudi-Fi Admin UI > Configuration > Auth modes > SAML and set:
Group Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/profile
Troubleshooting
Azure AD redirection
When a Visitor accesses the Captive portal, he clicks on "Corporate Access," but he is not redirected to the Azure Authentication page.
Please check that the traffic to Azure URLs is allowed. (see Walled Garden).
Azure error message
A Visitor accesses the Captive portal, clicks "Corporate Access," and is redirected to the Azure authentication Page. He fills out his (address and password) and Signs. Then, he is redirected to an Azure Error Page.
Please replay the process, perform an HTTP capture (Perform a Web Request capture in the web browser), and open a ticket to Cloudi-Fi support with the capture attached (see How to contact your support?).