This detailed guide walks you through configuring SAML authentication for your captive portal visitors using Ping Identity as an identity provider.
Use case
This guide provides step-by-step instructions to set up SAML authentication for your visitors with Cloudi-Fi and Ping Identity.
Prerequisites
Captive portal
Before configuring, please ensure your captive portal can support SAML authentication. If "Corporate Access" section is unavailable in your existing captive portal, please contact Cloudi-Fi's Support team to update your captive portal (see How to contact your support?)
Walled Garden
Be sure to add to your walled garden the following Ping Identity domains listed in the article Set up a Walled Garden for your captive portal
Warning: for Zscaler, do not add the * as it does not recognize this character.
SAML URLs
For context, in this SAML authentication use case, Cloudi-Fi acts as the SP (Service Provider) and Ping Identity as the IdP (Identity Provider). The IdP will authenticate and redirect users back to the SP.
To set up a SAML application in Ping Identity, you will need the entity ID of the Service Provider (Cloudi-Fi)
-
Log into the Cloudi-Fi Admin Console
-
Navigate to "Settings" > "Auth modes" > "SAML"
- Collect the necessary information:
Cloudi-Fi Entity ID
https://login.cloudi-fi.net
Linkback URL
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/************
- ***** is your Cloudi-fi public key (Can be found in Cloudi-fi Admin interface > Settings > Company Account)
You can copy the Linkback URL with the public key attached directly from the SAML page. This page is where you will insert the information you will gather from Ping Identity in section 2:
1. Create a SAML application on Ping Identity
Login to the Ping Identity console and navigate to Applications and select the + sign to add a new application.
Fill in the essential details of your SAML application and click Configure:
- App Name: Choose a distinctive name that resonates with your web app's functionality.
- Description: An optional description of your web app's purpose or functionality.
- Application Type: choose SAML Application.
Choose "Manually Enter" and fill in the URLs you collected in the prerequisites section:
- ACS URLs: This term matches the Linkback URL you copied from Cloudi-Fi's SAML page in the prerequisites section.
- Entity ID: https://login.cloudi-fi.net - note that https://login.cloudi-fi.net/ results in an error so make sure to drop the forward slash (last character).
Congrats, your SAML application is now set up on Ping Identity. You must now get the information you need from your application (section 2) and fill it in Cloudi-Fi's Admin Console (section 3).
2. Collect the necessary information from your SAML application
First, turn on the application and navigate to the 'Configuration' tab.
Copy the fields:
-
- Issuer ID (will match IdP EntityId on Cloudi-Fi end).
- Single Signon Service (will match IdP Endpoint on Cloudi-Fi end).
Download the Signing Certificate X509 PEM file containing all the necessary SAML details.
Open the file with a text editor of your choice and copy the certificate without BEGIN CERTIFICATE and END CERTIFICATE parts.
Alternatively, you can download the metadata file, which contains all the necessary SAML details you have gathered so far:
- Issuer ID
- Single Signon Service
- Signing Certificate
The last action to make on the Ping Identity end would be to map the attribute to an email address, as users will use Ping Identity to authenticate using their email address.
Map the attribute "saml_object" to "Email Address" under PingOne Mappings.
3. Terminology Mapping Between Ping Identity and Cloudi-Fi
This table provides a side-by-side comparison of key terms as they are named in two different systems, highlighting their equivalent functionalities
Attribute Name in Ping Identity | Attribute Name in Cloudi-Fi | Details |
ACS URLs | Linkback URL |
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/<company_APIkey> |
Entity ID | Entity ID |
https://login.cloudi-fi.net |
Issuer ID |
IdP EntityId |
https://auth.pingone.eu/****** |
Single Signon Service | IdP Endpoint |
https://auth.pingone.eu/******/saml20/idp/sso |
Signing Certificate | IdP Signing Certificate | |
Attribute Mapping | Email attribute name |
saml_subject mapped to Email Address |
4. Configure Cloudi-Fi's Admin Console
On Cloudi-Fi's Admin Console navigate to Settings > Auth modes > SAML.
Enter the necessary SAML details gathered from Ping Identity:
-
- IdP EntityId on Cloudi-Fi: Issuer ID on Ping Identity
- IdP Endpoint on Cloudi-Fi: Single Signon Service on Ping Identity.
- IdP Signing Certificate: Enter the X.509 Certificate details, excluding "Begin Certificate" and "End Certificate" markers.
- Email attribute name: Enter the exact match text saml_subject—this is the attribute you mapped to an email address in the previous step.
Finally, click Save.
Congrats! Your Wi-Fi users (for example, your employees) can now authenticate using Ping Identity SAML authentication if they choose "Corporate Access" from the captive portal authentication methods.
Troubleshooting
Ping Identity redirection
A Wi-Fi user accesses the captive portal, chooses "Corporate Access," and is not redirected to the Ping Identity Authentication page.
Please check that the traffic to Ping Identity URLs is allowed. (see Walled Garden).
Ping Identity error message
A Wi-Fi user accesses the captive portal, then chooses "Corporate Access" and is redirected to the Ping Identity authentication Page. The user fills out the necessary information to authenticate and sign in. Then, he is redirected to a Ping Identity Error Page.
Please replay the process, perform an HTTP capture (Perform a Web Request capture in the web browser), and open a ticket to Cloudi-Fi support with the capture attached (see How to contact your support?).