Welcome to Purple Support

SAML/Staff WiFi

  • Updated

The SAML connector provides visitors or staff members the option to log in via your Google workspace or Microsoft Azure active directory. This gives you the ability to provide a single sign on for anyone who has a login to your Google or Microsoft domain. For example, within a school, students and teachers may have school email accounts set up on the school's Google workspace, with the SAML connector the students and teachers can use these accounts to login to the WiFi.

You can also use this connector for staff only to clearly differentiate between visitors and staff on your reports so that you can create accurate insights into your data. To see only visitor information on your reports, you can filter by role, to show: User, Staff member and Unknown visitors.

You must set up SAML on your Google Workspace or Microsoft Account to use the connector.

To activate this feature, contact your customer success manager.

Set up Google for SAML

  1. Within your Google Workspace admin home page, click Apps.

  2. Click Web and mobile apps.

  3. Click Add App > Add custom SAML app.

  4. Add an app name and icon (this displays to users when they sign in to WiFi via the Google Workspace login).

  5. On the following page there is an SSO URL, Entity and Certificate. Make a note of these details as you need this information to enter into the Portal connector settings, within ManagementConnectors > SAML > Edit. You can return to these details at any time.

  6. Complete the Service provider details as follows:

    ACS URL

    https://DOMAIN.COM/access/auth?acs

    Where DOMAIN.COM is the (sub)domain where your WiFi splash journey is hosted.

    ACS entity

    https://DOMAIN.COM/access/auth

    Where DOMAIN.COM is the (sub)domain where your WiFi splash journey is hosted.

    Name ID format EMAIL
    Name ID Basic Information > Primary email
  7. Click Continue and add any additional fields you want to pass to the portal. Common fields include First name, Last name or Phone number, which should be passed as firstName, lastName and phoneNumber respectively. Common portal fields include:

    • title

    • firstName

    • lastName

    • phoneNumber

    • gender

    Any non-common fields may still be passed, this adds a new custom field to the user record in Marketing > CRM after the user logs in.

  8. To complete the set up, click Finish.

Set up Microsoft Azure for SAML

  1. Log in to Microsoft Azure click Enterprise applicationsNew application.

  2. Click Create your own application, enter a name for the application, select Integrate any other application you don't find in the gallery (Non-gallery) and click Create.

  3. Confirm the Identifier (Entity ID) and Reply URL are configured correctly.

    Identifier (Entity ID)

    https://DOMAIN.COM/access/auth

    Where DOMAIN.COM is the (sub)domain where your WiFi access journey is hosted.

    Reply URL

    https://DOMAIN.COM/access/auth?acs

    Where DOMAIN.COM is the (sub)domain where your WiFi access journey is hosted.

  4. On the Base64 Certificate click Download. You can open this file in notepad, you must copy and paste this into the SAML configuration within Purple.

  5. Make a note or copy the Login URL and Azure AD Identifier.

  6. Ensure all users can sign on without the need to setup separate permissions in Azure AD, within Properties select No for Assignment required and Yes to Visible to users.

Add the SAML connector

You must set up the connector so that visitors or staff members can log in to your WiFi via Google or Microsoft.

  1. Within ManagementConnectors on SAML click Add.

  2. Complete the Options as follows:

    Connector Name

    Enter a name for the connector, e.g. Staff WiFi.

    Enter your SSO URL

    Enter the details you noted down when you set up SAML within Google or Microsoft. If you did not make a note at the time of set up, refer to the Google or Microsoft SAML app to obtain this information.

    Enter your entity ID

    Enter your certificate

    Staff only

    If you enable this, only staff members can use this login method, this differentiates staff members to visitors on your reports. You can filter the reports by role, to show: User, Staff member and Unknown visitors.

    Type

    Choose which login type you want to use. Currently we only support Google workspace and Microsoft/Azure active directory.

    Allow entities below your scope to set up this connector

    Enables entities below your scope to set up the SAML connector. For example, if you are a reseller this allows companies, groups and venues to set up the connector.

    When you select this option you must also select the Override type.

    Override type

    Additional

    Entities can set up their own connector in addition to this one. This applies to all venues within the scope.

    Replacement

    Entities can override this connector. This only applies to this connector.

  3. Select the scopes you want the connector to be available for and click Save.

Update the offline splash pages

You must add SAML to the offline splash pages as a login method. For more information about how to set up and use splash pages, refer to Splash Pages.

Within OnboardingSplash Pages > select the splash page you want to add the login method to.

Standard Splash Page

  1. On the Header tab, select SAML.

  2. Add a name for the login method and choose which login configuration to use.

  3. Click Submit and then Save.

HTML Splash Page

  1. On the HTML tab, locate the login form section and click onto the section you want the login option to appear in, select Authentication links click the settings icon on SAML.

  2. Select the login configuration and click Submit.

  3. Click Save.

You must ensure that the splash page is part of an Access Journey. When a visitor connects to your WiFi, the SAML connector is shown as a log in option.

iOS devices

When an iOS device connects to a WiFi network and detects the presence of a captive portal, it launches the captive network assistant, which is a pop-up mini-browser that shares no cookies with the user's real browser, has no persistent cookies (i.e. every time it launches it has no history of a user's past logins), and it has several security features such as the inability to launch apps via deep links. This prevents users from being able to reach the Google/Microsoft Azure login page, to workaround this we have added a new setting which bypasses the captive portal in order to gain access to the login page. You must enable this setting on your access journey:

  1. Click OnboardingAccess journeys and select the access journey you want to add this to.

  2. Click Options and select Enable iOS Captive Network Assistant exit.

If a staff member uses an iOS device they receive an extra login screen with the message "Click here to join the WiFi". This takes place outside of the captive portal so they can access the Google login page and the WiFi.

Reports

If the SAML login is set up for staff only you can get insights on data exclusively by staff members or visitors, within all of the reports in AnalyticsVisitors. Use the dimension 'by role' to show the results for staff members, users and unknown users. You can also use the report filters to filter by a specific role type.

Visitor by role

Connection methods

Data Sent

No Wi-Fi user data is sent to Google or Microsoft Azure. This connector is invoked on the Wi-Fi access journey for the user to then authenticate off domain before being redirected back to the journey.

Share online: