How to use SAML authentication for your guests with Cloudi-Fi and Azure.
Prerequisites
For a Native deployment (without IPsec/GRE tunnel), be sure to add the following domains to the walled garden in your captive portal configuration:
-
*.microsoftonline.com
-
*.live.com
-
*.msftauth.net
-
*.microsoft.com
-
*.msauth.net
-
*.msauthimages.net
Configure Azure AD SSO
Add the Azure AD SAML Toolkit application
From Home, click on Enterprise applications
Add a new application Search for Azure AD SAML Toolkit, and create it after giving it an explicit name.
Configure Single Sign-On
Once you have the Azure AD SAML Toolkit application, click on it and go to Single Sign-On. Select a single sign-on method page, and select SAML.
On Set up Single Sign-On with SAML Page
On the Basic SAML Configuration (Azure AD SAML Toolkit Single sign-on Basic SAML Configuration) page, enter the values for the following fields :
-
Identifier (Entity ID): Copy and paste the Cloudi-Fi Entity ID (Marked two on the below image)
-
Reply URL (Assertion Consumer Service URL): Copy and paste the linkback URL (Marked one on the Below image)
-
Sign-on URL: https://login.cloudi-fi.net/
cf. SAML Configuration on Cloudi-Fi (Settings Auth modes)
On Cloudi-Fi Side
Go to Settings Auth modes SAML, and enter the values for the following fields :
-
IdP EntityId: Azure AD Identifier
-
Binding Method: Post
-
IdP Endpoint: Login URL
-
Logout Binding Method (Optional): Post
-
Logout Endpoint: Logout URL
-
IdP Signing Certificate (x509 format): Download the Base64 Certificate and Past the content here (without the "Begin Certificate" and "End certificate" markers)
-
Email Attribute name: Claim name corresponding to the Mail value (Marked 1)
-
Be careful: user needs to have an Email address attribute
-
-
Fullname Attribute (Optional): Claim name corresponding to the Givenname value (Marked 2)
