In the context of guest authentication, the concepts of session and identity are fundamental to understanding how access and interactions are managed for users.
1. Guest User Identity
An identity is a unique representation of a guest user within the system. It encompasses the attributes and credentials that define the guest and what they can do.
A user identity will be defined by the following attributes (see Cloudi-Fi Admin UI > Users > Accounts):
- Display name is a user-friendly identifier for the guest user. It is often the first name and last name (e.g. Robert Dupont)
- Login represents the credentials or identifier the guest uses to authenticate. This could be an email address (e.g., robert.dupont@gmail.com), phone number, or another unique identifier Cloudi-Fi uses to authenticate the guest.
- Creation date records when the guest identity was first created in the system
- Status indicates the current state of the guest's identity (see Status of a visitor identity)
- Validity Start marks the beginning of the period when the guest's identity is considered valid. It can be used to automatically re-authenticate the user in case the authentication token expires.
- Validity End marks the expiration date and time of the guest's identity.
- Profiles define the duration of the user identity and are more about the validity of the user's credentials. They are configured in Admin UI > Users > Profiles.
See Cloudi-Fi Admin UI > Users > Accounts
2. Authentication Token
Once a user authenticates, a session is created, and this session typically involves storing information about the user's identity and authorization in a session token. The Session Lifetime defines how long this session is valid.
Session lifetime is configured in Cloudi-Fi Admin UI > Portals > Templates.
- Duration: Depending on the security requirements and use case, it can range from 1 hour to several hours.
- Expiry: When the session lifetime expires, the user is usually logged out automatically or asked to re-authenticate.
- Purpose: The purpose of session lifetime is to limit the risk of unauthorized access if a session token is stolen or the user forgets to log out.
See Cloudi-Fi Admin UI > Users > Authentications
Session status refers to the current state of a user's session. It indicates whether the session is active or expired.
- Green: The session token is currently valid and active, and the guest user is authenticated. This status usually persists until the session reaches its predefined lifetime.
- Grey: The session token has reached its end of life because the session lifetime has expired. Once a session has expired, the user typically needs to re-authenticate to regain access.
Authentication status refers to Cloudi-Fi's ability to recognize the guest user when he authenticated.
- Logged In: the visitor logs in for the first time
- Returning: The visitor has a valid account but needs to be directly recognized by Cloudi-Fi. He has to reconnect by entering his login.
- Returning (auto): The visitor has a valid account and is transparently authenticated. Using Cloudi-Fi cookies, we can find a guest in our database. Then, we check his validity to authenticate him (or not) transparently.
Summary
Sessions (or tokens) and user identities work together. For example, a session's lifetime is less than or equal to identity duration.
- Session Lifetime: defining the duration of the authentication session.
- User Identity: defining the duration for which the user will have permission to automatically re-authenticate in case the Session Lifetime has expired.
Example
Context
Cloudi-Fi Captive portal with a Meraki Integration
Authentication process
On Monday at 8 a.m., a user logs in for the first time using the captive portal.
- A token is assigned to the user (e.g., user1@company.cloudi-fi.net). This token is valid for 4 hours based on the Customer’s configuration (see session_lifetime in Admin UI > Portals > Templates)
- An identity is created (see Admin UI > Users > Accounts) with a validity of 5 days (i.e., until Friday) based on the Customer’s configuration (see profile_duration in Admin UI > Users > Profiles)
On Monday at midnight, the Meraki system tries to re-authenticate the user because the 4-hour session has expired.
- When the captive portal loads, Cloudi-Fi detects the user’s profile is valid until Friday.
- Instead of the regular login page, it shows a “Continue” button, allowing users to bypass re-entering their credentials.
On Saturday, the user logs in to the SSID with the same device
-
- Since his identity was valid only up until the day before (i.e. Friday), the user will need to log in again through the full captive portal experience.