How to set up SAML authentication for your Visitors with Microsoft Azure – Cloudi-Fi Knowledge Base

Step-by-step instructions to set up a SAML authentication for your Visitors with Cloudi-Fi and Azure.

Use case

The following sections will provide step-by-step instructions to SAML authentication for your Visitors with Cloudi-Fi and Azure.

Prerequisites

Captive portal

Before starting the configuration, please make sure your captive portal can support SAML authentication. If "Corporate Access" section is not available in your existing captive portal, please contact your Support team to update your captive portal (see How to contact your support?)

Cloudi-Fi Captive portal - SAML authentication.png

Walled Garden

Be sure to add the following AzureAD domains listed in Set up a walled garden for your captive portal

Warning: for Zscaler do not add the * as it does not recognise this character

SAML URLs

Navigate to the Cloudi-Fi Admin user interface (UI)
Go to "Configuration" > "Auth modes" > "SAML"
Collect the necessary information

Linkback URL

https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/************

***** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account)

Cloudi-Fi Entity ID

https://login.cloudi-fi.net/

1. Create Azure AD SAML app

Navigate to the "Enterprise applications" section
Add a new application

Azure UI - New application.png

Click on "Create your own application"
Set a specific name to the application (example: Cloudi-Fi Guest SAML)
Opt for the third option: "Integrate any other application you don't find in the gallery (Non-gallery)"

Azure UI - SAML Toolkit.png

After creating the application, navigate to "Single sign-on"
Select "SAML" as the sign-on method

Azure UI - Select SAML as Single Sign-On for Cloudi-Fi.jpeg

Access "Basic SAML Configuration" to edit settings
Update the "Linkback URL" with:
- ```
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/************
```
- where ************ represents your Cloudi-fi public key
- To find your Cloudi-fi public key, go to the Cloudi-fi Admin interface, navigate to "Settings", then "Company Account"
Set the "Cloudi-Fi Entity ID" as:
```
https://login.cloudi-fi.net/
```

Azure UI - Set Cloudi-Fi saml information.jpeg

Go to section "(2) Attributes & Claims"
Collect the specified URL

Azure UI - Additionnal Claims.png

For the certificate:
- Go to "(3) SAML Certificates"
- Download the "Certificate (Base64)"
To collect the URL:
- Proceed to "(4) Set up Your Application"
- Collect the necessary URL
  - Login URL
  - Microsoft Entra Identifier
  - Logout URL

Azure UI - Basic SAML Configuration - set up.png

2. Configure Single Sign-On

To start step 2, make ensure you have all of these information

Attributes	Details
Linkback URL	https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/********
Cloudi-Fi Entity ID	https://login.cloudi-fi.net/
Login URL	https://login.microsoftonline.com/*********/saml2
Microsoft Entra Identifier	https://sts.windows.net/*********/
Logout URL	https://login.microsoftonline.com/***********/saml2
Certificate (Base64)
Email_address Claims	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Given_name Claims	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

2.1. On Set up Single Sign-On with SAML Page

Navigate to "Single sign-on" and then to "Basic SAML Configuration"
For "Identifier (Entity ID)": Use the Cloudi-Fi Entity ID (refer to SAML URLs)
For "Reply URL (Assertion Consumer Service URL)": Enter the Linkback URL (refer to SAML URLs)
For "Sign on URL": Input the Cloudi-Fi Entity ID (refer to SAML URLs)

Azure UI - Set Cloudi-Fi saml information.jpeg

2.2. On Cloudi-Fi Side

Navigate to the Cloudi-Fi Admin user interface (UI)
Access "Configuration" > "Auth modes" > "SAML"
Enter the required values into the respective fields

- IdP EntityId: Microsoft Entra Identifier (see Step 1: Create Azure AD SAML app)
- Binding Method: POST
- IdP Endpoint: Login URL (see Step 1: Create Azure AD SAML app)
- Logout Binding Method (Optional): POST
- Logout Endpoint: Logout URL (see Step 1: Create Azure AD SAML app)
- IdP Signing Certificate (x509 format): Paste the content of Certificate (Base64) (see Step 1: Create Azure AD SAML app) without the "Begin Certificate" and "End certificate" markers
- Email attribute name: emailaddress (see Step 1: Create Azure AD SAML app)
- Fullname Attribute (Optional): givenname (see Step 1: Create Azure AD SAML app)

Cloudi-Fi UI - SAML - Guest.png

3. Set your Visitor_profile (Optional)

Option 1: Default

Cloudi-Fi automatically sets the "Guest" profile for all new visitors using "Corporate Access" (Refer to: Cloudi-Fi Admin UI > Users > Profiles)

Cloudi-Fi UI - Profile - Guest.png

Option 2

If you want to create a Specific Visitor_Profile for users using "Corporate Access", go to Cloudi-Fi Admin UI > Users > Profiles and create a new profiles (e.g. SAML)

Cloudi-Fi UI - Profile - SAML.png

Navigate to Cloudi-Fi Admin UI, select Configuration > Auth modes > SAML, and assign the "Custom Profile" to the previously established profile (for instance, "SAML").

Cloudi-Fi UI - SAML - Custom profile.png

Option 3

If you want to assign a Visitor_Profile based on the Azure AD group to which they belong, go to AzureAd UI > Enterprise Applications > Your Application (create in Step 1: Create Azure AD SAML app) > Single sign-on > (2) Attributes & Claims and create an Additional claims

Name (e.g. profile)
Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims

In the Claim conditions, create as many profiles as you need to allow on the Cloudi-Fi interface

User type: Members or Any
Scoped Groups: Select the Groups allowed to have access to Cloudi-Fi Admin Console
Source: Attribute
Value: Profile value (Profile name define in Cloudi-Fi Admin UI > Users > Profiles)

Then, go to Cloudi-Fi Admin UI > Configuration > Auth modes > SAML and set

Group Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/profile

Troubleshooting

Azure AD redirection

A Visitor access to the Captive portal, he click on "Corporate Access" and he is not redirected to Azure Authentication page.

Please check that the traffic to Azure URLs is allowed. (see Walled Garden).

Azure error message

A Visitor access to the Captive portal, he click on "Corporate Access" and he is redirected to Azure authentication Page. He fills out his (email_address, password) and Sign-in. Then he is redirected to an Azure Error Page.

Please replay the process and perform a HTTP capture (Perform a Web Request capture in the web browser) and open a ticket to Cloudi-Fi support with the capture attached (see How to contact your support?)

Azure error message for Visitors from China, Australia

China and Australian user are using a different "Cloudi-Fi Entity ID" (in place of https://login.cloudi-fi.net/ )

https://login-cn.cloudi-fi.net/

I invite you to follow this article (How to set up SAML authentication for your Visitors (China, Australia) with Microsoft Azure )

What's Next ?

Congratulations on enabling SAML authentication with Azure for your Visitors.

Search

Cloudi-Fi Knowledge Base