Skip to main content

Search

Cloudi-Fi Knowledge Base

How to set up SAML authentication for your Visitors (in APAC, Australia) with Okta

Alexandre de THOMASSON
  • Updated

Step-by-step instructions to set up a SAML authentication for your Visitors located in APAC (in APAC, Australia) with Cloudi-Fi and Okta.

 

Use case

The following sections will provide step-by-step instructions to set up a SAML authentication for your Visitors (in APAC, Australia) with Cloudi-Fi and Okta.

 

Prerequisites

Captive portal

Before starting the configuration, please make sure your captive portal can support "SAML Alternative" authentication. If "Corporate Access" section is not available in your existing captive portal, please contact your Support team to update your captive portal (see How to contact your support?)

Cloudi-Fi Captive portal - SAML authentication.png

 

Walled Garden

Be sure to add the following Okta domains listed in Set up a walled garden for your captive portal

Warning : for Zscaler do not add the * as it does not recognise this character

 

Get SAML Alternative URL

Navigate to the Cloudi-Fi Admin user interface (UI)

Go to Configuration > Auth modes > SAML Alternative an collect the necessary information

 

Linkback URL

https://login-cn.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml_alt/************
  • *****  is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account)

Cloudi-Fi Entity ID

https://login-alt-cn.cloudi-fi.net/

 

If SAML Alternative is not available, please open a ticket to Cloudi-Fi Support (How to contact your Cloudi-Fi support ?)

 

1. Create your Okta SAML application

Go to your Okta portal and switch to Classic UI mode.

Go to the Application section, and add a new application.

Click on Create a new Application Integration.

cloudi-fi_okta_saml_create a new application_1.png

Then, select SAML 2.0

cloudi-fi_okta_saml_create a new application_2.png

In the General Settings page, define your App name (for instance : Cloudi-Fi Guest SAML) and click on Next  

cloudi-fi_okta_saml_create a new application_general settings_visitor APAC.png

In Configure SAML page

  • Linkback URL : 
    • https://login-cn.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml_alt/<company_key>
    • To find your <company_key> , go to the Cloudi-fi Admin interface > Settings and then Company Account.
  • Cloudi-Fi Entity ID
    • https://login-alt-cn.cloudi-fi.net/
  • Name ID format : EmailAddress
  • Application username : Email
  • Update application username on : Create and update
  • Attribute Statement
    • Name : mail
    • Value : user.email

cloudi-fi_okta_saml_create a new application_visitor APAC_configure SAML_1.png

 

cloudi-fi_okta_saml_create a new application_configure SAML_2.png

 

In Feedback page, click on Finish.

cloudi-fi_okta_saml_create a new application_feedback.png

 

Once the Cloudi-Fi application is created on Okta, click View SAML Setup Instructions to retrieve technical information to be configured on the Cloudi-Fi portal.

cloudi-fi_okta_saml_create a new application_end.png

cloudi-fi_okta_saml_create a new application_view SAML instructions_1.png

Here are needed information :

  • Identity Provider Single Sign-On URL

  • Identity Provider Issuer

  • X.509 Certificate

cloudi-fi_okta_saml_create a new application_view SAML instructions_2.png

2. Cloudi-Fi configuration

To start step 2, make ensure you have all of these information

Attributes_name
(in Okta)		 Attributes_name
(in Cloudi-Fi)		 Details
Single sign-on URL Linkback URL 
https://login-cn.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml_alt/<company_key>
SP Entity ID Cloudi-Fi Entity ID 
https://login-alt-cn.cloudi-fi.net/
Identity Provider Issuer

IdP EntityID

 
http://www.okta.com/*********
Identity Provider Signle Sign-On URL IdP Endpoint 
https://******/app/****/*****/sso/saml
X.509 Certificate IDP Signing Certificate (X509 (Base64)  
Attribute Statements / Name Email_address Claims 
mail

 

Navigate to the Cloudi-Fi Admin user interface (UI)

Access Configuration > Auth modes > SAML

Enter the required values into the respective fields

cloudi-fi_admin_saml alternative_okta_configuration.png

Fill out the form as described below with details previously retrieved on Okta : 

  • IdP EntityId = Identity Provider Issuer
  • Binding Method = POST
  • IdP Endpoint = Identity Provider Single Sign-On URL
  • Logout Binding Method = POST
  • IdP Signing Certificate = X.509 Certificate without "Begin Certificate" and "End certificate" markers
  • Email attribute name = mail

Finally, click on Save 

 

Troubleshooting

Okta redirection

A Visitor access to the Captive portal, he click on Corporate Access and he is not redirected to Okta Authentication page.

Please check that the traffic to Okta URLs is allowed. (see Walled Garden).

 

Okta error message

A Visitor access to the Captive portal, he click on Corporate Access and he is redirected to Okta authentication Page. He fills out his (email_address, password) and Sign-in. Then he is redirected to an Okta Error Page. 

Please replay the process and perform a HTTP capture (Perform a Web Request capture in the web browser) and open a ticket to Cloudi-Fi support with the capture attached (see How to contact your support?)

 

What's Next ?

Congratulations on enabling SAML authentication with Okta for your Visitors (in APAC, Australia).