Configure the SAML Plug-in

Applies To: Wi-Fi Cloud-managed Access Points (AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, AP420)

You can use the SAML authentication plug-in to authenticate your Captive Portal users with an identity provider (IdP). To use the SAML plug-in, you must select the Cloud Hosted portal mode in your SSID captive portal settings.

To configure the SAML plug-in:

  1. Open Discover.
  2. Open the Navigator, and select a location where to apply the SSID settings.
  3. Select Configure > WiFi.
  4. Select the SSID tab.
  5. Select an existing SSID or add a new SSID.
  6. Select the Captive Portal tab.
  7. Select the Captive Portal check box.
  8. Select Cloud Hosted as the portal mode.
  9. In the Authentication Plugins & Quality of Service section, click Select login method for guest WiFi users.

  1. Select the Custom check box in the list of plug-ins, then select SAML.

Screenshot of the SAML plug-in settings selection in a Captive Portal

  1. Click the SAML icon to edit the plug-in settings.
  2. In the Display Name text box, type the name that users will see on the splash page.
    The maximum is 15 characters.
  3. (Optional) Upload a logo for the SAML icon that appears in the plug-in configuration page.
  4. Click Download SP Metadata XML and share this downloaded metadata file with your identity provider.
  5. Provide the metadata information received from your identity provider. You can manually add the metadata or upload an XML file.

To manually add metadata, provide this information:

  • Entity ID — The ID of the SAML SSO identity provider (IdP).
  • Login URL — The URL of the IdP application.
  • Hash Algorithm — Select SHA256 or SHA512. The default is SHA256.
  • Upload Certificate — Select and upload the certificate file used by the IdP to sign or encrypt the data.
  1. Click Upload XML to upload the XML metadata file from your local computer.
  2. Provide a mapping between the SAML attribute and the target attribute. The SAML attributes are predefined attributes that users see on the splash page. The Target attributes are attributes defined by the identity provider.
  3. You can configure these additional Quality of Service (QoS) options:
  • Login Timeout — Select the time, in minutes, for which a wireless user can access the guest network after they log in to the portal page. After the timeout is reached, access to the guest network is stopped and the portal page is displayed again. The user must log in to the portal page to regain access to the guest network. If the user disconnects and reconnects to the guest network before their session times out, the user does not have to enter their credentials on the splash page again.
  • Blackout Time — This is the time for which a guest user is not allowed to login after a previous session timed out.
  • Limit the maximum download bandwidth to — The maximum download bandwidth in Kbps or Mbps for the guest user.
  • Limit the maximum upload bandwidth to — The maximum upload bandwidth in Kbps or Mbps for the guest user.
  • Redirect URL — The URL of the page to which a guest user must be redirected after successful authentication.
  1. Click Save to save the plug-in settings.
  2. Click Save to the SSID settings.