The SAML connector provides visitors or staff members the option to log in via your Google workspace or Microsoft Azure active directory. This gives you the ability to provide a single sign on for anyone who has a login to your Google or Microsoft domain. For example, within a school, students and teachers may have school email accounts set up on the school's Google workspace, with the SAML connector the students and teachers can use these accounts to login to the WiFi.
You can also use this connector for staff only to clearly differentiate between visitors and staff on your reports so that you can create accurate insights into your data. To see only visitor information on your reports, you can filter by role, to show: User, Staff member and Unknown visitors.
You must set up SAML on your Google Workspace or Microsoft Account to use the connector.
To activate this feature, contact your Account Executive.
Set up Google for SAML
-
Within your Google Workspace admin home page, click Apps.
-
Click Web and mobile apps.
-
Click Add App > Add custom SAML app.
-
Add an app name and icon (this displays to users when they sign in to WiFi via the Google Workspace login).
-
On the following page there is an SSO URL, Entity and Certificate. Make a note of these details as you need this information to enter into the Portal connector settings, within Management > Connectors > SAML > Edit. You can return to these details at any time.
-
Complete the Service provider details as follows:
ACS URL https://DOMAIN.COM/access/auth?acs
Where DOMAIN.COM is the (sub)domain where your WiFi splash journey is hosted.
ACS entity https://DOMAIN.COM/access/auth
Where DOMAIN.COM is the (sub)domain where your WiFi splash journey is hosted.
Name ID format EMAIL Name ID Basic Information > Primary email -
Click Continue and add any additional fields you want to pass to the portal. Common fields include First name, Last name or Phone number, which should be passed as firstName, lastName and phoneNumber respectively. Common portal fields include:
-
title
-
firstName
-
lastName
-
phoneNumber
-
gender
Any non-common fields may still be passed, this adds a new custom field to the user record in Marketing > CRM after the user logs in.
-
-
To complete the set up, click Finish.
Set up Microsoft Azure for SAML
-
Log in to Microsoft Azure click Enterprise applications > New application.
-
Click Create your own application, enter a name for the application, select Integrate any other application you don't find in the gallery (Non-gallery) and click Create.
-
Confirm the Identifier (Entity ID) and Reply URL are configured correctly.
Identifier (Entity ID)
https://DOMAIN.COM/access/auth
Where DOMAIN.COM is the (sub)domain where your WiFi access journey is hosted.
Reply URL
https://DOMAIN.COM/access/auth?acs
Where DOMAIN.COM is the (sub)domain where your WiFi access journey is hosted.
-
On the Base64 Certificate click Download. You can open this file in notepad, you must copy and paste this into the SAML configuration within Purple.
-
Make a note or copy the Login URL and Azure AD Identifier.
-
Ensure all users can sign on without the need to setup separate permissions in Azure AD, within Properties select No for Assignment required and Yes to Visible to users.
Add the SAML connector
You must set up the connector so that visitors or staff members can log in to your WiFi via Google or Microsoft.
-
Within Management > Connectors on SAML click Add.
-
Complete the Options as follows:
Connector Name
Enter a name for the connector, e.g. Staff WiFi.
Enter your SSO URL
Enter the details you noted down when you set up SAML within Google or Microsoft. If you did not make a note at the time of set up, refer to the Google or Microsoft SAML app to obtain this information.
Enter your entity ID
Enter your certificate
Staff only
If you enable this, only staff members can use this login method. This differentiates staff members to visitors on your reports. Analytics are tagged with a role of Staff (when enabled) or User (when disabled).
Reports can be filtered by role to show: User, Staff member, and Unknown visitors.
Type
Choose which login type you want to use. Currently we only support Google workspace and Microsoft/Azure active directory.
Allow entities below your scope to set up this connector
Enables entities below your scope to set up the SAML connector. For example, if you are a reseller this allows companies, groups and venues to set up the connector.
When you select this option you must also select the Override type.
Override type
Additional
Entities can set up their own connector in addition to this one. This applies to all venues within the scope.
Replacement
Entities can override this connector. This only applies to this connector.
-
Select the scopes you want the connector to be available for and click Save.
Update the offline splash pages
You must add SAML to the offline splash pages as a login method. For more information about how to set up and use splash pages, refer to Splash Pages.
Within Onboarding > Splash Pages > select the splash page you want to add the login method to.
Standard Splash Page
-
On the Header tab, select SAML.
-
Add a name for the login method and choose which login configuration to use.
-
Click Submit and then Save.
HTML Splash Page
-
On the HTML tab, locate the login form section and click onto the section you want the login option to appear in, select Authentication links click the settings icon on SAML.
-
Select the login configuration and click Submit.
-
Click Save.
You must ensure that the splash page is part of an Access Journey. When a visitor connects to your WiFi, the SAML connector is shown as a log in option.
iOS devices
When an iOS device connects to a WiFi network and detects the presence of a captive portal, it launches the captive network assistant, which is a pop-up mini-browser that shares no cookies with the user's real browser, has no persistent cookies (i.e. every time it launches it has no history of a user's past logins), and it has several security features such as the inability to launch apps via deep links. This prevents users from being able to reach the Google/Microsoft Azure login page, to workaround this we have added a new setting which bypasses the captive portal in order to gain access to the login page. You must enable this setting on your access journey:
-
Click Onboarding > Access journeys and select the access journey you want to add this to.
-
Click Options and select Enable iOS Captive Network Assistant exit.
If a staff member uses an iOS device they receive an extra login screen with the message "Click here to join the WiFi". This takes place outside of the captive portal so they can access the Google login page and the WiFi.
Reports
If the SAML login is set up for staff only you can get insights on data exclusively by staff members or visitors, within all of the reports in Analytics > Visitors. Use the dimension 'by role' to show the results for staff members, users and unknown users. You can also use the report filters to filter by a specific role type.
Visitor by role
Connection methods
Data Sent
No Wi-Fi user data is sent to Google or Microsoft Azure. This connector is invoked on the Wi-Fi access journey for the user to then authenticate off domain before being redirected back to the journey.