Step-by-step instructions to set up a SAML authentication for your Visitors located in APAC (in APAC, Australia) with Cloudi-Fi and Okta.
Use case
The following sections will provide step-by-step instructions to set up a SAML authentication for your Visitors (in APAC, Australia) with Cloudi-Fi and Okta.
Prerequisites
Captive portal
Before starting the configuration, please make sure your captive portal can support "SAML Alternative" authentication. If "Corporate Access" section is not available in your existing captive portal, please contact your Support team to update your captive portal (see How to contact your support?)
Walled Garden
Be sure to add the following Okta domains listed in Set up a walled garden for your captive portal
Warning : for Zscaler do not add the * as it does not recognise this character
Get SAML Alternative URL
Navigate to the Cloudi-Fi Admin user interface (UI)
Go to Configuration > Auth modes > SAML Alternative an collect the necessary information
Linkback URL
https://login-cn.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml_alt/************
- ***** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account)
Cloudi-Fi Entity ID
https://login-alt-cn.cloudi-fi.net/
If SAML Alternative is not available, please open a ticket to Cloudi-Fi Support (How to contact your Cloudi-Fi support ?)
1. Create your Okta SAML application
Go to your Okta portal and switch to Classic UI mode.
Go to the Application section, and add a new application.
Click on Create a new Application Integration.
Then, select SAML 2.0
In the General Settings page, define your App name (for instance : Cloudi-Fi Guest SAML) and click on Next
In Configure SAML page
-
Linkback URL :
-
https://login-cn.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml_alt/<company_key>
- To find your <company_key> , go to the Cloudi-fi Admin interface > Settings and then Company Account.
-
-
Cloudi-Fi Entity ID :
-
https://login-alt-cn.cloudi-fi.net/
-
- Name ID format : EmailAddress
- Application username : Email
- Update application username on : Create and update
-
Attribute Statement
- Name : mail
- Value : user.email
In Feedback page, click on Finish.
Once the Cloudi-Fi application is created on Okta, click View SAML Setup Instructions to retrieve technical information to be configured on the Cloudi-Fi portal.
Here are needed information :
-
Identity Provider Single Sign-On URL
-
Identity Provider Issuer
-
X.509 Certificate
2. Cloudi-Fi configuration
To start step 2, make ensure you have all of these information
Attributes_name (in Okta) |
Attributes_name (in Cloudi-Fi) |
Details |
Single sign-on URL | Linkback URL |
https://login-cn.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml_alt/<company_key> |
SP Entity ID | Cloudi-Fi Entity ID |
https://login-alt-cn.cloudi-fi.net/ |
Identity Provider Issuer |
IdP EntityID |
http://www.okta.com/********* |
Identity Provider Signle Sign-On URL | IdP Endpoint |
https://******/app/****/*****/sso/saml |
X.509 Certificate | IDP Signing Certificate (X509 (Base64) | |
Attribute Statements / Name | Email_address Claims |
|
Navigate to the Cloudi-Fi Admin user interface (UI)
Access Configuration > Auth modes > SAML
Enter the required values into the respective fields
Fill out the form as described below with details previously retrieved on Okta :
- IdP EntityId = Identity Provider Issuer
- Binding Method = POST
- IdP Endpoint = Identity Provider Single Sign-On URL
- Logout Binding Method = POST
- IdP Signing Certificate = X.509 Certificate without "Begin Certificate" and "End certificate" markers
- Email attribute name = mail
Finally, click on Save
Troubleshooting
Okta redirection
A Visitor access to the Captive portal, he click on Corporate Access and he is not redirected to Okta Authentication page.
Please check that the traffic to Okta URLs is allowed. (see Walled Garden).
Okta error message
A Visitor access to the Captive portal, he click on Corporate Access and he is redirected to Okta authentication Page. He fills out his (email_address, password) and Sign-in. Then he is redirected to an Okta Error Page.
Please replay the process and perform a HTTP capture (Perform a Web Request capture in the web browser) and open a ticket to Cloudi-Fi support with the capture attached (see How to contact your support?)
What's Next ?
Congratulations on enabling SAML authentication with Okta for your Visitors (in APAC, Australia).