Use case
The following sections will provide step-by-step instructions to set up a SAML authentication for your Visitors with Cloudi-Fi and OneLogin.
Prerequisites
Captive portal
Before starting the configuration, please make sure your captive portal can support SAML authentication. If "Corporate Access" section is not available in your existing captive portal, please contact your Support team to update your captive portal (see How to contact your support?)
Walled garden
Be sure to add the following OneLogin domains listed in Set up a walled garden for your captive portal
Warning: for Zscaler do not add the * as it does not recognise this character
SAML URL
- Navigate to the Cloudi-Fi Admin user interface (UI)
- Go to "Configuration" > "Auth modes" > "SAML"
- Collect the necessary information
Linkback URL
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/************
***** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account).
Cloudi-Fi Entity ID
https://login.cloudi-fi.net/
If "SAML" is not available, please open a ticket to Cloudi-Fi Support (How to contact your Cloudi-Fi support ?).
1. Create your OneLogin SAML application
- Go to your OneLogin portal
- Go to the Application section, and add a new application.
Then, research "SAML Custom Connector (Advanced)"
In the Configuration section, define your "App name" (for instance: Cloudi-Fi Guest SAML), enable "Visible in Portal" and Save.
In the Configuration section
- Audience (EntityId) : Cloudi-Fi Entity ID (https://login.cloudi-fi.net/)
- Recipient : Linkback URL (https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/<company_key> ) - see SAML URL
- ACS URL : Linkback URL (https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/<company_key> ) see SAML URL
- SAML NameID: Email
In the Parameters section, add a new field.
Then add "Email" as Field Name, enable Include in SAML assertion and Save.
Then select Email value and Save.
Now your Cloudi-Fi application is created on OneLogin, click "SSO" to retrieve technical information to be configured on the Cloudi-Fi portal. Here are needed information:
- Issuer URL
- SAML 2.0 Endpoint
Then got to "View details" and copy the X.509 certificate.
2. Cloudi-Fi configuration
To start step 2, make ensure you have all of these information
Issuer URL
SAML 2.0 Endpoint
Attributes_name (in OneLogin) |
Attributes_name (in Cloudi-Fi) |
Details |
ACS URL | Linkback URL |
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/<company_key> |
Recipient | Linkback URL |
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/<company_key> |
Audience (EntityId) | Cloudi-Fi Entity ID |
https://login.cloudi-fi.net/ |
SAML 2.0 Endpoint |
IdP EntityID |
https://*******.onelogin.com/trust/saml2/http-post/sso/****************** |
Issuer URL | IdP Endpoint |
https://app.onelogin.com/saml/metadata/***************** |
X.509 Certificate | IDP Signing Certificate (X509 (Base64) | |
SAML NameID | Email_address Claims |
|
Navigate to the Cloudi-Fi Admin user interface (UI)
Access "Configuration > Auth modes > SAML"
Enter the required values into the respective fields
Fill out the form as described below with details previously retrieved on OneLogin:
- IdP EntityId: SAML 2.0 Endpoint
- Binding Method: POST
- IdP Endpoint: Issuer URL
- Logout Binding Method: POST
- IdP Signing Certificate: X.509 Certificate without "Begin Certificate" and "End certificate" markers
- Email attribute name: Email
Finally, click on Save
Troubleshooting
OneLogin redirection
When a Visitor accesses the Captive portal, he clicks on "Corporate Access," but he is not redirected to the OneLogin Authentication page.
Please check that the traffic to OneLogin URLs is allowed. (see Walled Garden).
OneLogin error message
A Visitor accesses the Captive portal, clicks "Corporate Access," and is redirected to the OneLogin authentication Page. He fills out his (address and password) and Signs. Then, he is redirected to a OneLogin Error Page.
Please replay the process, perform an HTTP capture (Perform a Web Request capture in the web browser), and open a ticket to Cloudi-Fi support with the capture attached (see How to contact your support?).
What's next?
Congratulations on enabling SAML authentication with OneLogin for your Visitors.