Use case
The following sections will provide step-by-step instructions to set up a SAML authentication for your Visitors with Cloudi-Fi and Okta.
Prerequisites
Captive portal
Before starting the configuration, please make sure your captive portal can support SAML authentication. If "Corporate Access" section is not available in your existing captive portal, please contact your Support team to update your captive portal (see How to contact your support?)
Walled garden
Be sure to add the following Okta domains listed in Set up a walled garden for your captive portal
Warning: for Zscaler do not add the * as it does not recognise this character
SAML URL
- Navigate to the Cloudi-Fi Admin user interface (UI)
- Go to "Configuration" > "Auth modes" > "SAML"
- Collect the necessary information
Linkback URL
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/************
***** is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account).
Cloudi-Fi Entity ID
https://login.cloudi-fi.net/
If "SAML" is not available, please open a ticket to Cloudi-Fi Support (How to contact your Cloudi-Fi support ?).
1. Create your Okta SAML application
- Go to your Okta portal and switch to "Classic UI" mode.
- Go to the Application section, and add a new application.
- Click on "Create a new Application Integration."
Then, select SAML 2.0
In the General Settings page, define your "App name" (for instance: Cloudi-Fi Guest SAML) and click on Next
In Configure SAML page
- "Linkback URL" :
-
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/<company_key>
- To find your <company_key> , go to the Cloudi-fi Admin interface, navigate to "Settings", then "Company Account"
-
- "Cloudi-Fi Entity ID" :
-
https://login.cloudi-fi.net/
-
- "Name ID format" : EmailAddress
- "Application username" : Email
- "Update application username on" : Create and update
- "Attribute Statement"
- "Name" : mail
- "Value" : user.email
In Feedback page, click on "Finish"
Once the Cloudi-Fi application is created on Okta, click "View SAML Setup Instructions" to retrieve technical information to be configured on the Cloudi-Fi portal.
Here are needed information:
-
Identity Provider Single Sign-On URL
-
Identity Provider Issuer
-
X.509 Certificate
2. Cloudi-Fi configuration
To start step 2, make ensure you have all of these information
Attributes_name (in Okta) |
Attributes_name (in Cloudi-Fi) |
Details |
Single sign-on URL | Linkback URL |
https://login.cloudi-fi.net/auth/module.php/saml/sp/saml2-acs.php/saml/<company_key> |
SP Entity ID | Cloudi-Fi Entity ID |
https://login.cloudi-fi.net/ |
Identity Provider Issuer |
IdP EntityID |
http://www.okta.com/********* |
Identity Provider Signle Sign-On URL | IdP Endpoint |
https://******/app/****/*****/sso/saml |
X.509 Certificate | IDP Signing Certificate (X509 (Base64) | |
Attribute Statements / Name | Email_address Claims |
|
- Navigate to the Cloudi-Fi Admin user interface (UI)
- Access "Configuration > Auth modes > "SAML"
- Enter the required values into the respective fields
Fill out the form as described below with details previously retrieved on Okta:
- IdP EntityId : Identity Provider Issuer
- Binding Method : POST
- IdP Endpoint : Identity Provider Single Sign-On URL
- Logout Binding Method : POST
- IdP Signing Certificate : X.509 Certificate without "Begin Certificate" and "End certificate" markers
- Email attribute name : mail
Finally, click on Save
Troubleshooting
Okta redirection
A Visitor access to the Captive portal, he click on "Corporate Access" and he is not redirected to Okta Authentication page.
Please check that the traffic to Okta URLs is allowed. (see Walled Garden).
Okta error message
A Visitor access to the Captive portal, he click on "Corporate Access" and he is redirected to Okta authentication Page. He fills out his (email_address, password) and Sign-in. Then he is redirected to an Okta Error Page.
Please replay the process and perform a HTTP capture (Perform a Web Request capture in the web browser) and open a ticket to Cloudi-Fi support with the capture attached (see How to contact your support?)
Okta error message for visitors from Asia (China, Australia...)
A Visitor access to the Captive portal, he click on "Corporate Access" and he is redirected to Okta authentication Page. He fills out his (email_address, password) and Sign-in. Users connected from Asia (China, Australia, ...) are getting an Error while all others can authenticate.
Visitors located in APAC region are using a different "Cloudi-Fi Entity ID" (in place of https://login.cloudi-fi.net/ )
https://login-cn.cloudi-fi.net/
I invite you to follow this article (How to set up SAML authentication for your Visitors (in APAC) with Okta)
What's next ?
Congratulations on enabling SAML authentication with Okta for your Visitors.