Step-by-step instructions to set up a SAML authentication for your Visitors with Cloudi-Fi and Microsoft Active Directory Federation Services (ADFS).
Use case
The following sections will provide step-by-step instructions for setting up SAML authentication for your Cloudi-Fi users with Cloudi-Fi and Microsoft ADFS.
Prerequisites
Captive portal
Before configuring, please ensure your captive portal can support SAML authentication. If the "Corporate Access" section is unavailable in your existing captive portal, please contact your Support team to update it (see How to contact your support?).
Walled Garden
Be sure to add your ADFS domains to the walled garden (allow list before authentification)
Warning: for Zscaler, do not add the * as it does not recognize this character
SAML URLs
-
Log into the Cloudi-Fi Admin User Interface
-
Navigate through the menu to locate the "Configuration" option
-
Find and select "Auth modes" within the Configuration settings to explore authentication options.
-
Choose SAML for Setup and gather the Required Details:
Linkback URL
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/************
- ***** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account)
Cloudi-Fi Entity ID
https://login.cloudi-fi.net/
1. Add a SAML Configuration
- Access the AD FS management tool to retrieve essential information and configure settings for integration with Cloudi-Fi.
- Right-click AD FS from the left panel and select "Edit Federation Service Properties" to obtain the Federation Service identifier.
- Paste the obtained Federation Service identifier into the Login Endpoint field.
- Proceed to the AD FS Service Endpoints tab within the AD FS management tool.
- Search for the URL path corresponding to Type SAML 2.0/WS-Federation, and copy it for further configuration.
Go back to the Cloudi-Fi interface Settings Auth modes and paste the path, prefixing it with your server URL (e.g., https:///adfs/ls), into the IDP Endpoint field.
From the AD FS management tool, go to AD FS Service Certificates, click right the certificate under Token-signing, and click on View Certificate. Go to the Details tab from the Certificate dialog and click on Copy to File.
The Certificate export wizard opens, click Next and export the Certificate to Base-64 encoded X.509 (.CER)
Open the exported certificate file and copy (without "Begin Certificate" and "End certificate" markers). Go back to the Cloudi-Fi interface and paste into the field IdP Signing Certificate (x509 format)
2. Create a relying party trust
From the AD FS management tool, expand AD FS from the left panel, select Relying Party Trusts, and click Add Relying Party Trust.
Select Claims Aware and then select Enter data about relying party manually and click Next.
Give it a name and a description, and then click Next
On the Configure certificate, download the Cloudi-Fi SAML public certificate Click on Browse and add the certificate.
Select Enable support for the SAML 2.0 WebSSO protocol on the Configure URL.
From Cloudi-Fi, copy Identifier (Entity ID), paste the value into Relying party SAML 2.0 SSO Service URL field, and click Next.
From the Cloudi-Fi interface, get the Reply URL (Assertion Consumer Service URL), paste the value into the Relying party trust identifier field, and click add, then Next.
From the access control policy lists, select Permit Everyone and click Next.
Check the parameters on the Ready to Add Trust tab, click Next, and then Close the Wizard.
3. Edit claim rules
From the AD FS management tool, go to Relying Party Trust, right-click on the relying party trust you recently added, click Edit Claim Issuance Policy, and then add a new Rule.
Select Send LDAP Attributes as Claims
Give it a name and add the Mapping as follows.
From the Cloudi-Fi interface, configure it as follows:
Email Attribute name: Claim name corresponding to the E-mail-Addresses value (email).
Fullname attribute: Claim name corresponding to the Display-Name value (Name).
If you have any questions, please contact us - How to contact your support?