Step-by-step instructions to set up a SAML authentication for your Visitors with Cloudi-Fi and Azure.
Table of contents
Step 1: Create Azure AD SAML app
Step 2: Configure Single Sign-On
Use case
The following sections will provide step-by-step instructions to SAML authentication for your Visitors with Cloudi-Fi and Azure.
Prerequisites
Captive portal
Before starting the configuration, please make sure your captive portal can support SAML authentication. If "Corporate Access" section is not available in your existing captive portal, please contact your Support team to update your captive portal (see How to contact your support?)
Walled Garden
Be sure to add the following AzureAD domains listed in Set up a walled garden for your captive portal
Warning: for Zscaler do not add the * as it does not recognise this character
SAML URLs
Go to Cloudi-Fi Admin UI > Configuration > Auth modes > SAML and collect the
Linkback URL
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/************
- ***** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account)
Cloudi-Fi Entity ID
https://login.cloudi-fi.net/
Step 1: Create Azure AD SAML app
From AzureAd UI, click on "Enterprise applications" and add a new application
Then, search for Microsoft Entra SAML Toolkit, and create it after giving it an explicit name (e.g. Cloudi-Fi Guest SAML)
Go to AzureAd UI > Enterprise Applications > Your Application (create in Step 1: Create Azure AD SAML app) > Single sign-on > (2) Attributes & Claims and collect the following URL
- emailaddress
- givenname
Go to AzureAd UI > Enterprise Applications > Your Application (create in Step 1: Create Azure AD SAML app) > Single sign-on > (3) SAML Certificates and download Certificate (Base64)
Go to AzureAd UI > Enterprise Applications > Your Application (create in Step 1: Create Azure AD SAML app) > Single sign-on > (4) Set up Your Application and collect the following URL
- Login URL
- Microsoft Entra Identifier
- Logout URL
Step 2: Configure Single Sign-On
To start step 2, make ensure you have all of these information
Attributes | Details |
Linkback URL |
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/******** |
Cloudi-Fi Entity ID |
https://login.cloudi-fi.net/ |
Login URL |
https://login.microsoftonline.com/*********/saml2 |
Microsoft Entra Identifier |
https://sts.windows.net/*********/ |
Logout URL |
https://login.microsoftonline.com/***********/saml2 |
Certificate (Base64) | |
Email_address Claims |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
Given_name Claims |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
Step 2.1: On Set up Single Sign-On with SAML Page
Go to AzureAd UI > Enterprise Applications > Your Application (create in Step 1: Create Azure AD SAML app) > Single sign-on > Basic SAML Configuration
- Identifier (Entity ID): Cloudi-Fi Entity ID (see SAML URLs )
- Reply URL (Assertion Consumer Service URL): Linkback URL (see SAML URLs )
- Sign on URL: Cloudi-Fi Entity ID (see SAML URLs)
Step 2.2: On Cloudi-Fi Side
Go to Cloudi-Fi Admin UI > Configuration > Auth modes > SAML and enter the values for the following fields :
-
IdP EntityId: Microsoft Entra Identifier (see Step 1: Create Azure AD SAML app)
-
Binding Method: POST
-
IdP Endpoint: Login URL (see Step 1: Create Azure AD SAML app)
-
Logout Binding Method (Optional): POST
-
Logout Endpoint: Logout URL (see Step 1: Create Azure AD SAML app)
-
IdP Signing Certificate (x509 format): Past the content of Certificate (Base64) (see Step 1: Create Azure AD SAML app) without the "Begin Certificate" and "End certificate" markers
- Email attribute name: emailaddress (see Step 1: Create Azure AD SAML app)
- Fullname Attribute (Optional): givenname (see Step 1: Create Azure AD SAML app)
Step 3: Set your Visitor_profile (Optional)
Option 1: Default
By default, Cloudi-Fi will assign the "Guest" profile (see Cloudi-Fi Admin UI > Users > Profiles) for all new Visitors using "Corporate Access"
Option 2:
If you want to create a Specific Visitor_Profile for users using "Corporate Access", go to Cloudi-Fi Admin UI > Users > Profiles and create a new profiles (e.g. SAML)
Then, go to Cloudi-Fi Admin UI > Configuration > Auth modes > SAML and set
- Custom Profile: the profile Previously created (e.g. SAML)
Option 3:
If you want to assign a Visitor_Profile based on the Azure AD group to which they belong, go to AzureAd UI > Enterprise Applications > Your Application (create in Step 1: Create Azure AD SAML app) > Single sign-on > (2) Attributes & Claims and create an Additional claims
- Name (e.g. profile)
- Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
In the Claim conditions, create as many profiles as you need to allow on the Cloudi-Fi interface
- User type: Members or Any
- Scoped Groups: Select the Groups allowed to have access to Cloudi-Fi Admin Console
- Source: Attribute
- Value: Profile value (Profile name define in Cloudi-Fi Admin UI > Users > Profiles)
Then, go to Cloudi-Fi Admin UI > Configuration > Auth modes > SAML and set
- Group Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/profile
Troubleshooting
Azure AD redirection
A Visitor access to the Captive portal, he click on "Corporate Access" and he is not redirected to Azure Authentication page.
Please check that the traffic to Azure URLs is allowed. (see Walled Garden).
Azure error message
A Visitor access to the Captive portal, he click on "Corporate Access" and he is redirected to Azure authentication Page. He fills out his (email_address, password) and Sign-in. Then he is redirected to an Azure Error Page.
Please replay the process and perform a HTTP capture (Perform a Web Request capture in the web browser) and open a ticket to Cloudi-Fi support with the capture attached (see How to contact your support?)
Azure error message for Visitors from China, Australia
A Visitor access to the Captive portal, he click on "Corporate Access" and he is redirected to Azure authentication Page. He fills out his (email_address, password) and Sign-in. Users connected from (China, Australia) are getting an Error while all others can authenticate.
China and Australian user are using a different "Cloudi-Fi Entity ID" (in place of https://login.cloudi-fi.net/ )
https://login-cn.cloudi-fi.net/
I invite you to follow this article (How to set up SAML authentication for your Visitors (China, Australia) with Microsoft Azure )