Overview
The SAML Connector provides visitors or staff members the option to log in via your Google workspace or Microsoft Entra (Azure). This gives you the ability to provide a single sign on for anyone who has a login to your Google or Microsoft domain. For example, within a school, students and teachers may have school email accounts set up on the school's Google workspace, with the SAML Connector the students and teachers can use these accounts to login to the WiFi.
You can also use this connector for staff only to clearly differentiate between visitors and staff on your reports so that you can create accurate insights into your data. To see only visitor information on your reports, you can filter by role, to show User, Staff member and Unknown visitors. You must set up SAML on your Google Workspace or Microsoft Account to use the connector. To activate this feature, contact your customer success manager.
SAML Connector - Google
Overview
This section shows how to create and set up a WiFi SAML connector for Google.
The steps below will guide you through creating both a new Microsoft Entra application in Azure and a WiFi SAML connector in your WiFI Portal so your users can log in to your WiFi via Microsoft on your WiFi access journey.
Step 1 - Set up Google for SAM
The first step is to create a new App in Google.
- Within your Google Workspace admin home page, click Apps
- Click Web and mobile apps
- Click Add App > Add custom SAML app
- Add an app name and icon (this displays to users when they sign in to WiFi via the Google Workspace login)
- On the following page there is an SSO URL, Entity and Certificate. Make a note of these details as you need this information to enter into the Portal connector settings, within Management > Connectors > SAML > Edit. You can return to these details at any time.
- Complete the Service provider details as follows:
| ACS URL | https://{YOUR_WIFI_PORTAL_DOMAIN}/access/auth?acs Where {YOUR_WIFI_PORTAL_DOMAIN} is the (sub)domain where your WiFi splash journey is hosted e.g. eu.wifi.purple.ai |
| ACS entity | https://{YOUR_WIFI_PORTAL_DOMAIN}/access/auth Where {YOUR_WIFI_PORTAL_DOMAIN} is the (sub)domain where your WiFi splash journey is hosted e.g. eu.wifi.purple.ai |
| Name ID Format | |
| Name ID | Basic Information > Primary email |
- Click Continue and add any additional fields you want to pass to the portal. Common fields include First name, Last name or Phone number, which should be passed as firstName, lastName and phoneNumber respectively. Common Portal fields include:
- title
- firstName
- lastName
- phoneNumber
- gender
Any non-common fields may still be passed, this adds a new custom field to the user record in Marketing > CRM after the user logs in.
- To complete the set up, click Finish
Step 2 - Create the new SAML connector in the WiFi Portal
- In your WiFi Portal, navigate to Connectors and click on ‘Add’ to add a new SAML connector
Complete the Options as follows:
| Connector Name | Enter a name for the connector, e.g. Staff WiFi. |
| Enter your SSO URL | Enter the details you noted down when you set up SAML within Google or Microsoft. If you did not make a note at the time of set up, refer to Enter the Google or Microsoft SAML app to obtain this information. |
| Enter your Entity ID | See above. |
| Enter your certificate | See above. |
| Staff only | If you enable this, only staff members can use this login method, this differentiates staff members to visitors on your reports. You can filter the reports by role, to show User, Staff member and Unknown visitors. |
Type
| Choose which login type you want to use. Currently we only support Google workspace and Microsoft/Azure active directory. |
| Allow entities below your scope to set up this connector | Enables entities below your scope to set up the SAML connector. For example, if you are a reseller this allows companies, groups and venues to set up the connector.
When you select this option you must also select the Override type. |
| Override type | Additional Entities can set up their own connector in addition to this one. This applies to all venues within the scope. Replacement Entities can override this connector. This only applies to this connector. |
- Select the scopes you want the connector to be available for and click Save.
You can then configure your splash pages with your new SAML connector in Splash Page management via Onboarding > Splash pages.
You’re connected!
SAML Connector - Microsoft Entra (Azure)
Overview
This section shows how to create and set up a WiFi SAML connector for Microsoft Entra (Azure).
The steps below will guide you through creating both a new Microsoft Entra application in Azure and a WiFi SAML connector in your WiFI Portal so your users can log in to your WiFi via Microsoft on your WiFi access journey.
Step 1 - Create a new Entra enterprise application
The first step is to create a new Entra enterprise application in Microsoft Azure.
- Log into Microsoft Azure as an account administrator
- Navigate to Microsoft Entra ID
- Within Microsoft Entra ID create a new Enterprise application
- Within Enterprise applications create a New application
- Within the Entra Gallery click on the Create your own application option
- Give your new application a name and click Create
- On the overview for your new application choose Set up single sign on
- In the Single sign on options for your new application select SAML
Step 2 - Configure SAML for the Entra application
The next step is to configure the Basic SAML Configuration for the Entra application.
We need to configure the following:
Identifier (Entity ID)
This is the unique identifier for your new Entra application and will be used by the WiFi application and Microsoft to identify your application.
This value should be your WiFi domain with some additional entropy to identify your application within your organisation. The format for the identifier should be:
https://{YOUR_WIFI_PORTAL_DOMAIN}/access/auth/{UNIQUE_ENTRA_APPLICATION_IDENTIFIER}
The {UNIQUE_ENTRA_APPLICATION_IDENTIFIER} value should be a unique value for each Entra application that you create under your organisation for WiFi SAML authentication. In this example we will use a simple string that reflects the name of our example Entra application e.g. ‘my-entra-saml-app’. You can use a string or a number here as long as the value is unique.
For example if your WiFi domain is ‘eu.wifi.purple.ai’ then the ‘Identifier (Entity ID)’ would be:
https://eu.wifi.purple.ai/access/auth/my-entra-saml-app
If you are creating several Entra applications for WiFi SAML authentication then each of these will need a unique ‘Identifier (Entity Id)’ e.g.
https://eu.wifi.purple.ai/access/auth/app1
https://eu.wifi.purple.ai/access/auth/app2
https://eu.wifi.purple.ai/access/auth/app3
Reply URL
This value is the WiFi application endpoint for SAML authentication responses. This should be in the format:
https://{YOUR_WIFI_PORTAL_DOMAIN}/access/auth?acs
For example if your WiFi domain is ‘eu.wifi.purple.ai’ then the ‘Reply URL’ would be:
https://eu.wifi.purple.ai/access/auth?acs
Edit the Basic SAML Configuration
Click on the ‘Edit’ icon to add the Identifier (Entity ID) and Reply URL for your Entra application e.g.
In the editor window that opens enter the values into the relevant fields e.g.
When you have added both values click on Save to save the configuration.
You should then see your Basic SAML Configuration has been updated e.g.
Step 3 - Create the new SAML connector in the WiFi Portal
- In your WiFi Portal, navigate to Connectors and click on Add to add a new SAML connector
You will then need to configure the following fields for your new connector:
Connector Name
Enter a name for your new connector
Enter your SSO URL
This value needs to be the ‘Login URL’ for your Entra application. This can be found in section 4 in the SAML configuration for your Entra application in Azure.
Copy the ‘Login URL’ value and enter it into the SSO URL field.
Enter your entity ID
This value needs to be the unique ‘Identifier (Entity ID)’ for your Entra application that you set up in Step 2 of this guide. This can be found in section 1 ‘Basic SAML Configuration’ in the SAML configuration for your Entra application in Azure.
Copy your ‘Identifier (Entity ID)’ and enter it.
Enter your certificate
This value needs to be the Base64 encoded x509 certificate for your Entra application. This value can be obtained by downloading the certificate via the ‘Download link’ found in section 3 ‘SAML Certificates’ in the SAML configuration for your application on Azure.
When you have downloaded the Base64 certificate, open the file in a text editor and copy and paste the entire contents into the connector certificate form field.
Staff only
Choose whether your connector is for Staff only or if it is for all WiFi users.
Note that you will need to configure Users and Group access for your Entra application in Azure if you wish to make it available for staff only. See Microsoft's online documentation for more information regarding how to configure access for your Entra application.
Type
Choose Microsoft / Azure AD as the type for the SAML connector.
After configuring all fields for the new connector then the form should look similar to the image below e.g.
Choose a scope for your connector and then click Save to save it.
You can then configure your splash pages with your new SAML connector in Splash Page management via Onboarding > Splash pages.
You’re connected!
Adding a SAML Connector to a WiFi Splash Page
Overview
This section shows how to add a WiFi SAML connector to a Splash Page.
HTML Splash Page
- Navigate to Onboarding > Splash pages and Edit or Create a new offline HTML splash page
- On the HTML tab in the editor, locate the position in the HTML that you’d like to add a SAML authentication link and click to place the cursor at that position e.g.
- In the snippet library, locate and expand the Authentication links section and click on SAML to embed a [[!SamlAuthLink]] snippet at the cursor position in the HTML
- Click on the settings (cog) icon next to the SAML option in Authentication links to open SAML settings for the splash page
- In SAML settings select the connector you want to use on the splash page for WiFi authentication, enter a display Name for the SAML HTML link and click Save
- Save your splash page template to save the SAML settings
iOS Devices
When an iOS device connects to a WiFi network and detects the presence of a captive portal, it launches the captive network assistant, which is a pop-up mini-browser that shares no cookies with the user's real browser, has no persistent cookies (i.e. every time it launches it has no history of a user's past logins), and it has several security features such as the inability to launch apps via deep links. This prevents users from being able to reach the Google/Microsoft Azure login page, to workaround this we have added a new setting which bypasses the captive portal in order to gain access to the login page. You must enable this setting on your access journey:
- Click Onboarding > Access journeys and select the access journey you want to add this to.
Click Options and select Enable iOS Captive Network Assistant exit.
If a staff member uses an iOS device they receive an extra login screen with the message "Click here to join the WiFi". This takes place outside of the captive portal so they can access the Google login page and the WiFi.
Data Sent
No Wi-Fi user data is sent to Google or Microsoft Azure. This connector is invoked on the Wi-Fi access journey for the user to then authenticate off domain before being redirected back to the journey.
Free Guest WiFi
Purple App
SecurePass
Splash Access