In the context of guest authentication, the concepts of session and identity are fundamental to understanding how access and interactions are managed for users.
1. Guest User Identity
An identity refers to the unique representation of a guest user within the system. It encompasses the attributes and credentials that define who the guest is and what they are allowed to do.
A user identity will be defined by the following attributes (see Cloudi-Fi Admin UI > Users > Accounts):
- Display name is user-friendly identifier for the guest user. It is often the first name and last name (e.g. Robert Dupont)
- Login represents the credentials or identifier the guest uses to authenticate. This could be an email address (e.g. robert.dupont@gmail.com), phone number, or another unique identifier that Cloudi-Fi uses to authenticate the guest.
- Creation date records when the guest identity was first created in the system
- Status indicates the current state of the guest identity (see Status of a visitor identity)
- Validity Start marks the beginning of the period during which the guest identity is considered valid and can be used to automatically re-authenticate the user in case the authentication token expired.
- Validity End marks the expiration date and time of the guest identity.
- Profile defines the duration of the user identity. This is more about the validity of the user's credentials. Profiles are configured in Admin UI > Users > Profiles.
see Cloudi-Fi Admin UI > Users > Accounts
2. Authentication Token
Once a user authenticates, a session is created, and this session typically involves storing information about the user's identity and authorization in a session token. The Session Lifetime defines how long this session is valid.
Session lifetime is configured in Cloudi-Fi Admin UI > Portals > Templates.
- Duration: It can range from 1 hour to several hours, depending on the security requirements and use case.
- Expiry: When the session lifetime expires, the user is usually logged out automatically or asked to re-authenticate.
- Purpose: The purpose of session lifetime is to limit the risk of unauthorized access if a session token is stolen or if the user forgets to log out.
see Cloudi-Fi Admin UI > Users > Authentications
Sessions status refers to the current state of a user's session. It indicates whether the session is active, expired
- Green : the session token is currently valid and active. The guest user is authenticated. This status usually persists until the session reaches its predefined session lifetime.
- Grey: the session token has reached its end of life because the session lifetime has expired. Once a session is expired, the user typically needs to re-authenticate to regain access.
Authentication status refers to Cloudi-Fi ability to recognise the guest user when he authenticated
- Logged In: the visitor logs in for the first time
- Returning: the visitor has a valid account but not directly recognised by Cloudi-Fi. He has to reconnects by entering his login.
- Returning (auto): the visitor has a valid account and is transparently authenticated. Using Cloudi-Fi cookies, we can find a guest in our data base. Then we check its validity to authenticate him (or not) transparently.
Summary
Sessions (or tokens) and user identities work together. For example, a session have a lifetime less than or equal to identity duration.
- Session Lifetime: defining the duration of the authentication session.
- User Identity: defining the duration the user will have permissions to automatically re-authenticate in case the Session Lifetime has expired.
Example
Context
Cloudi-Fi Captive portal with a Meraki Integration
Authentication process
On Monday at 8 AM, a user logs in for the first time using the captive portal.
- A token is assigned to the user (e.g. user1@company.cloudi-fi.net). This token is valid for 4 hours based on Customer’s configuration (see session_lifetime in Admin UI > Portals > Templates)
- An identity is created (see Admin UI > Users > Accounts) with a validity of 5 days (i.e. until Friday) based on Customer’s configuration (see profile_duration in Admin UI > Users > Profiles)
On Monday at 12 AM, the Meraki system tries to re-authenticate the user because the 4-hour session has expired.
- When the captive portal loads, Cloudi-Fi detects that the user’s profile is still valid until Friday.
- Instead of showing the regular login page, it shows a “Continue” button, allowing the user to bypass re-entering their credentials.
On Saturday, the user logs in to the SSID with the same device
-
- Since his identity was valid only up until the day before (i.e. Friday), the user will need to log in again through the full captive portal experience.