Step-by-step instructions to set up a SAML authentication for your Visitors with Cloudi-Fi and Azure.
Use case
The following sections will provide step-by-step instructions to SAML authentication for your Visitors with Cloudi-Fi and Azure.
Prerequisites
Captive portal
Before starting the configuration, please make sure your captive portal can support SAML authentication. If "Corporate Access" section is not available in your existing captive portal, please contact your Support team to update your captive portal (see How to contact your support?)
Walled Garden
Be sure to add the following AzureAD domains listed in Set up a walled garden for your captive portal
Warning: for Zscaler do not add the * as it does not recognise this character
SAML URLs
- Navigate to the Cloudi-Fi Admin user interface (UI)
- Go to "Configuration" > "Auth modes" > "SAML"
- Collect the necessary information
Linkback URL
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/************
- ***** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account)
Cloudi-Fi Entity ID
https://login.cloudi-fi.net/
1. Create Azure AD SAML app
- Navigate to the "Enterprise applications" section
- Add a new application
- Click on "Create your own application"
- Set a specific name to the application (example: Cloudi-Fi Guest SAML)
- Opt for the third option: "Integrate any other application you don't find in the gallery (Non-gallery)"
- After creating the application, navigate to "Single sign-on"
- Select "SAML" as the sign-on method
- Access "Basic SAML Configuration" to edit settings
- Update the "Linkback URL" with:
-
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/************
- where ************ represents your Cloudi-fi public key
- To find your Cloudi-fi public key, go to the Cloudi-fi Admin interface, navigate to "Settings", then "Company Account"
-
- Set the "Cloudi-Fi Entity ID" as:
-
https://login.cloudi-fi.net/
- Go to section "(2) Attributes & Claims"
- Collect the specified URL
- For the certificate:
- Go to "(3) SAML Certificates"
- Download the "Certificate (Base64)"
- To collect the URL:
- Proceed to "(4) Set up Your Application"
- Collect the necessary URL
- Login URL
- Microsoft Entra Identifier
- Logout URL
- Login URL
2. Configure Single Sign-On
To start step 2, make ensure you have all of these information
Attributes | Details |
Linkback URL |
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/******** |
Cloudi-Fi Entity ID |
https://login.cloudi-fi.net/ |
Login URL |
https://login.microsoftonline.com/*********/saml2 |
Microsoft Entra Identifier |
https://sts.windows.net/*********/ |
Logout URL |
https://login.microsoftonline.com/***********/saml2 |
Certificate (Base64) | |
Email_address Claims |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
Given_name Claims |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
2.1. On Set up Single Sign-On with SAML Page
- Navigate to "Single sign-on" and then to "Basic SAML Configuration"
- For "Identifier (Entity ID)": Use the Cloudi-Fi Entity ID (refer to SAML URLs)
- For "Reply URL (Assertion Consumer Service URL)": Enter the Linkback URL (refer to SAML URLs)
- For "Sign on URL": Input the Cloudi-Fi Entity ID (refer to SAML URLs)
2.2. On Cloudi-Fi Side
- Navigate to the Cloudi-Fi Admin user interface (UI)
- Access "Configuration" > "Auth modes" > "SAML"
- Enter the required values into the respective fields
-
-
IdP EntityId: Microsoft Entra Identifier (see Step 1: Create Azure AD SAML app)
-
Binding Method: POST
-
IdP Endpoint: Login URL (see Step 1: Create Azure AD SAML app)
-
Logout Binding Method (Optional): POST
-
Logout Endpoint: Logout URL (see Step 1: Create Azure AD SAML app)
-
IdP Signing Certificate (x509 format): Paste the content of Certificate (Base64) (see Step 1: Create Azure AD SAML app) without the "Begin Certificate" and "End certificate" markers
- Email attribute name: emailaddress (see Step 1: Create Azure AD SAML app)
- Fullname Attribute (Optional): givenname (see Step 1: Create Azure AD SAML app)
-
3. Set your Visitor_profile (Optional)
Option 1: Default
Cloudi-Fi automatically sets the "Guest" profile for all new visitors using "Corporate Access" (Refer to: Cloudi-Fi Admin UI > Users > Profiles)
Option 2
If you want to create a Specific Visitor_Profile for users using "Corporate Access", go to Cloudi-Fi Admin UI > Users > Profiles and create a new profiles (e.g. SAML)
Navigate to Cloudi-Fi Admin UI, select Configuration > Auth modes > SAML, and assign the "Custom Profile" to the previously established profile (for instance, "SAML").
Option 3
If you want to assign a Visitor_Profile based on the Azure AD group to which they belong, go to AzureAd UI > Enterprise Applications > Your Application (create in Step 1: Create Azure AD SAML app) > Single sign-on > (2) Attributes & Claims and create an Additional claims
- Name (e.g. profile)
- Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
In the Claim conditions, create as many profiles as you need to allow on the Cloudi-Fi interface
- User type: Members or Any
- Scoped Groups: Select the Groups allowed to have access to Cloudi-Fi Admin Console
- Source: Attribute
- Value: Profile value (Profile name define in Cloudi-Fi Admin UI > Users > Profiles)
Then, go to Cloudi-Fi Admin UI > Configuration > Auth modes > SAML and set
- Group Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/profile
Troubleshooting
Azure AD redirection
A Visitor access to the Captive portal, he click on "Corporate Access" and he is not redirected to Azure Authentication page.
Please check that the traffic to Azure URLs is allowed. (see Walled Garden).
Azure error message
A Visitor access to the Captive portal, he click on "Corporate Access" and he is redirected to Azure authentication Page. He fills out his (email_address, password) and Sign-in. Then he is redirected to an Azure Error Page.
Please replay the process and perform a HTTP capture (Perform a Web Request capture in the web browser) and open a ticket to Cloudi-Fi support with the capture attached (see How to contact your support?)
Azure error message for Visitors from China, Australia
A Visitor access to the Captive portal, he click on "Corporate Access" and he is redirected to Azure authentication Page. He fills out his (email_address, password) and Sign-in. Users connected from (China, Australia) are getting an Error while all others can authenticate.
China and Australian user are using a different "Cloudi-Fi Entity ID" (in place of https://login.cloudi-fi.net/ )
https://login-cn.cloudi-fi.net/
I invite you to follow this article (How to set up SAML authentication for your Visitors (China, Australia) with Microsoft Azure )