Use case
The following sections will provide step-by-step instructions to set up a SAML authentication for your Visitors with Cloudi-Fi and Okta.
Prerequisites
Captive portal
Before starting the configuration, please make sure your captive portal can support SAML authentication. If "Corporate Access" section is not available in your existing captive portal, please contact your Support team to update your captive portal (see How to contact your support?)
Walled garden
Be sure to add the following Okta domains listed in Set up a walled garden for your captive portal
Warning: for Zscaler do not add the * as it does not recognise this character
SAML URL
- Navigate to the Cloudi-Fi Admin user interface (UI)
- Go to "Configuration" > "Auth modes" > "SAML"
- Collect the necessary information
Linkback URL
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/************
***** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account).
Cloudi-Fi Entity ID
https://login.cloudi-fi.net/
If "SAML" is not available, please open a ticket to Cloudi-Fi Support (How to contact your Cloudi-Fi support ?).
1. Create your Okta SAML application
- Go to your Okta portal and switch to "Classic UI" mode.
- Go to the Application section, and add a new application.
- Click on "Create a new Application Integration."
Then, select SAML 2.0
In the General Settings page, define your "App name" (for instance: Cloudi-Fi Guest SAML) and click on Next
In Configure SAML page
- "Linkback URL" :
-
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/<company_key> - To find your <company_key> , go to the Cloudi-fi Admin interface, navigate to "Settings", then "Company Account"
-
- "Cloudi-Fi Entity ID" :
-
https://login.cloudi-fi.net/
-
- "Name ID format" : EmailAddress
- "Application username" : Email
- "Update application username on" : Create and update
- "Attribute Statement"
- "Name" : mail
- "Value" : user.email
In Feedback page, click on "Finish"
Once the Cloudi-Fi application is created on Okta, click "View SAML Setup Instructions" to retrieve technical information to be configured on the Cloudi-Fi portal.
Here are needed information:
-
Identity Provider Single Sign-On URL
-
Identity Provider Issuer
-
X.509 Certificate
2. Cloudi-Fi configuration
To start step 2, make ensure you have all of these information
| Attributes_name (in Okta) |
Attributes_name (in Cloudi-Fi) |
Details |
| Single sign-on URL | Linkback URL |
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/<company_key> |
| SP Entity ID | Cloudi-Fi Entity ID |
https://login.cloudi-fi.net/ |
| Identity Provider Issuer |
IdP EntityID |
http://www.okta.com/********* |
| Identity Provider Signle Sign-On URL | IdP Endpoint |
https://******/app/****/*****/sso/saml |
| X.509 Certificate | IDP Signing Certificate (X509 (Base64) | |
| Attribute Statements / Name | Email_address Claims |
|
- Navigate to the Cloudi-Fi Admin user interface (UI)
- Access "Configuration > Auth modes > "SAML"
- Enter the required values into the respective fields
Fill out the form as described below with details previously retrieved on Okta:
- IdP EntityId : Identity Provider Issuer
- Binding Method : POST
- IdP Endpoint : Identity Provider Single Sign-On URL
- Logout Binding Method : POST
- IdP Signing Certificate : X.509 Certificate without "Begin Certificate" and "End certificate" markers
- Email attribute name : mail
Finally, click on Save
Troubleshooting
Okta redirection
A Visitor access to the Captive portal, he click on "Corporate Access" and he is not redirected to Okta Authentication page.
Please check that the traffic to Okta URLs is allowed. (see Walled Garden).
Okta error message
A Visitor access to the Captive portal, he click on "Corporate Access" and he is redirected to Okta authentication Page. He fills out his (email_address, password) and Sign-in. Then he is redirected to an Okta Error Page.
Please replay the process and perform a HTTP capture (Perform a Web Request capture in the web browser) and open a ticket to Cloudi-Fi support with the capture attached (see How to contact your support?)
Okta error message for visitors from Asia (China, Australia...)
A Visitor access to the Captive portal, he click on "Corporate Access" and he is redirected to Okta authentication Page. He fills out his (email_address, password) and Sign-in. Users connected from Asia (China, Australia, ...) are getting an Error while all others can authenticate.
Visitors located in APAC region are using a different "Cloudi-Fi Entity ID" (in place of https://login.cloudi-fi.net/ )
https://login-cn.cloudi-fi.net/
I invite you to follow this article (How to set up SAML authentication for your Visitors (in APAC) with Okta)
Known limitation on iOS devices with 2FA
When using SAML-based authentication with any SSO provider, users on iOS devices may experience issues completing two-factor authentication (2FA) via authenticator applications. This occurs because the captive portal automatically closes when the user switches apps to access the authenticator, interrupting the authentication flow.
Recommendations for administrators
To optimize the authentication process for iOS users and avoid issues with app-based 2FA, we recommend the following:
- Disable app-based 2FA for captive portal users on iOS devices
Configure your SSO provider to bypass app-based authenticator methods for these users. - Enforce alternative 2FA methods
Use SMS-based or email-based verification codes, which do not require leaving the captive portal. - Provide clear guidance to users
Advise your users to use their preferred web browser to complete the SSO authentication. This way, if they switch from the captive portal page to the 2FA authenticator app, they will be able to complete the captive portal authentication process.
What's next ?
Congratulations on enabling SAML authentication with Okta for your Visitors.