1 of 11

Cloud Configuration Guide

Configuration Topic

Configuring SAML SSO with ADFS

Enabling SAML Single Sign-On (SSO) with ADFS on EnGenius Cloud MSP Portal

Introduction

This guide details setting up Active Directory Federation Services(ADFS) as a SAML SSO identity provider(IdP) for EnGenius Cloud - MSP Portal. Prior reading on SAML integration is advised. It assumes existing ADFS setups.

Refer to Microsoft's guide for detailed ADFS configuration. The integration steps presented may vary by environment, but the SAML assertion must include specific usernames and role attributes.

Feature Overview

Explore SAML SSO fundamentals and benefits with ADFS on EnGenius Cloud

SAML SSO Intro

SAML (Security Assertion Markup Language) is a protocol for authentication and authorization that allows users to securely access multiple applications with a single set of credentials. It strengthen security and simplify the sign-in process that makes organizations easier to deploy SSO (Single Sign-On) across their systems or applications.

The feature integrates SAML SSO with ADFS to streamline user authentication across different services that an organization uses.

At its core, SAML involves three participants:

The User - This is the individual trying to access a service (the EnGenius Cloud).
The Identity Provider (IdP) - This is the trusted entity that verifies the user's credentials, like usernames and passwords, and any associated groups or attributes. It's usually a login portal.In this context, is the ADFS
The Service Provider (SP) - This is the service or application the user is trying to use, which, in this context, is the EnGenius Cloud.

Use Cases of SAML SSO with ADFS

Centralized Authentication for Corporate Applications:
- SAML SSO with ADFS enables employees to access various enterprise applications, including HR systems, email, and CRM tools, using a single credential set, reducing the necessity for multiple usernames and passwords.
Integrating with Cloud Services:
- Using SAML SSO with ADFS streamlines employee access to cloud services like Microsoft Office 365, Salesforce, and third-party cloud platforms, ensuring secure and user-friendly authentication.

EnGenius Cloud provides two SAML login options with ADFS integration: IdP-Initiated and SP-Initiated. The choice depends on your administrators' preferred user experience and your business's IdP protocols. Both methods are compatible and can be used together. This article explains the SAML setup compatible with both IdP-Initiated and SP-Initiated SAML.

IdP-Initiated SAML

IdP-Initiated SAML is ideal for organizations with a standard login portal for app and service access. This guide outlines the fundamental setup for the IdP-Initiated SAML with ADFS.

User Flow for IdP-Initiated SAML:

Log in through the ADFS portal
Choose the desired service (such as the EnGenius Cloud)
User authentication by ADFS
Get redirected to the EnGenius Cloud

SP-Initiated SAML

Choose SP-Initiated SAML for direct login via the EnGenius Cloud (SSO URL), especially if you don't use a separate login portal.

SP-Initiated SAML User Flow:

Begin at the EnGenius Cloud (SSO URL)
Get redirected to your IdP (ADFS login portal)
Choose the desired service (such as the EnGenius Cloud)
User authentication by ADFS
Get redirected to the EnGenius Cloud

EnGenius Cloud SSO URL

The EnGenius Cloud SSO URL, customizable for easy recall via the MSP Portal GUI, links to and redirects users to the specific IdP's login portal.

MSP Portal Configuration

Guided setup of SAML SSO in EnGenius Cloud's MSP Portal

Necessary Pre-requisite

ADFS installation and initial setup are complete.
Obtain the metadata file from ADFS.
The MSP portal on EnGenius Cloud Platform is activated with an MSP license.

Configure SAML SSO for the Organization

Go to Organization > MSP Portal > Teams > Team Management and find the SAML SSO section.
Enable SAML SSO.

Click on Add to create a new “IdP" to input SAML identity provider details:

Upload the Identity Provider (IdP) Metadata file, which you can extract from your ADFS server.
Provide a Name that helps to identify this IdP.
Provide the Login URL, which is the URL of the existing ADFS login page.

IdP Metadata for SSO Integration

Metadata for an IdP is a data file containing the IdP's unique identifier, service URLs, public key certificates, and supported communication protocols, used to enable secure SSO connections.

Logout URL for Auto-Logout Redirection

The 'Logout URL' allows users to set a specific webpage to redirect to after a defined period of inactivity, ensuring an automatic and secure logout.

Upon creation of IdP, the system auto-generates the Consumer URL for where the IdP user data will be sent post-IdP authentication.

Record the "Consumer URL" as it is essential for future ADFS configuration.

Customize the EnGenius SSO Login URL: Adjust the ending URL for easier recall. It serves as a direct link to the default IdP and is unique to a single IdP.

Select a Default IdP from the IdP list, it will associate to EnGenius Cloud SSO page as the redirect IdP when user tries to login through SSO URL.

Multi-IDP SAML SSO Configuration

You can manage and create several IdPs in the EnGenius Cloud to establish SAML SSO, each with its unique Login and Consumer URLs, but only one can map to the SSO Login shorthand URL.

Create SAML Roles

Navigate to Organization > MSP Portal > Teams > Team Privilege to access the SAML administrator roles. Use this to assign user group privileges. SAML users receive permissions based on the 'role' attribute in their SAML token from the IdP.

To set up a new role for the IdP:

Click "Add Team".
Assign managed scope and permissions as you would for standard users.
To finalize, click "Create admin" and "Save changes".

The new team is set by default to the "All Org" scope with "Admin" permissions; however, customization for individual organizations is possible.

ADFS Configuration

Configure ADFS for seamless integration with EnGenius Cloud's SSO

This guide provides the steps for configuring ADFS on Windows Server 2022 as an IdP. Please note that images used in the steps may vary with Windows Server updates.

Create “Relying Party Trust”

Launch the AD FS management console from Start > Administrative Tools > AD FS Management.
Select 'AD FS' at the top and from the Actions menu, choose 'Add Relying Party Trust'.

Click 'Start' to configure a new trust for Dashboard.
Opt to 'Enter data about the relying party manually' and click 'Next'.

Provide a 'Display name' such as "EnGenius Cloud" for identification in the console and for users, then proceed with 'Next'.

Bypass the 'Configure Certificate' step by selecting 'Next'.
Check the box to Enable support for the SAML 2.0 WebSSO protocol. Input the EnGenius Cloud's 'Consumer URL' into the text field and click 'Next'.

The Consumer URL can be found under Organization > MSP Portal > Teams> Team Management > SAML SSO Settings ( from the IdP configuration).

For 'Relying party trust identifier', input "https://msp-sso.engenius.ai", click 'Add', then 'Next'.

Relying Party Trust ID in SAML Authentication

The Relying Party Trust Identifier is a unique identifier that an Identity Provider uses to recognize and authenticate the specific Service Provider (The EnGenius Cloud) in a SAML setup.

Set default authorization rules; for this guide, choose 'Permit everyone' and click 'Next'.

Configure Username Attributes (email)

Open the 'Edit Claim Rules' dialog and go to the 'Issuance Transform Rules' tab, then click 'Add Rule'.

Choose 'Send LDAP Attributes as Claims' as the template and click 'Next'.

To configure a username attribute for SAML:

Name the claim rule "Email".
Choose 'Active Directory' for the attribute store.
Select a unique LDAP Attribute, like E-Mail-Addresses that will be sent to the EnGenius Cloud as the username.
Set the Outgoing Claim Type to "email"
Click 'Finish'.

Outgoing Claim Type

An "Outgoing Claim Type" is a user attribute, like an email or username, that ADFS sends to a Service Provider (EnGenius Cloud) to identify and authorize users in SAML transactions.

Configure Role Attributes (Team Privilege)

Open 'Edit Claim Rules', navigate to 'Issuance Transform Rules', and select 'Add Rule'.
For the template, select 'Send Group Membership as a Claim'.
Name the claim rule "Teams" for assigning user roles.
Use 'Browse' to pick a group for the role assignment.
Set the Outgoing claim type to "msp_teams".
Enter the matching Role/Team value from The MSP Portal’s Teams role in 'Outgoing claim value' to grant access.

Click 'Finish'.

The role/team must correspond with one in EnGenius Cloud under Organization > MSP Portal> Teams> Team Privileges.

Accessing EnGenius Cloud with ADFS Authentication

Users authenticated via ADFS can now sign into the "EnGenius Cloud".

Setting Up EnGenius Cloud Account via ADFS Portal

If this is your first time accessing EnGenius Cloud service through your company's ADFS portal, you'll need to set up a user account initially. Once done, this will allow for automatic sign-in thereafter. The user account includes the following data:

User name
Email
Region

Authentication with Microsoft Entra ID LDAP Server

Overview

By default, EnGenius APs use LDAP to associate with Microsoft Entra ID, formerly Azure Active Directory (Azure AD). This document outlines the steps to use Microsoft Entra ID Secure LDAP credentials to access your secure wireless network and shows the software architecture.

Integrating EnGenius APs with Microsoft Entra ID secure LDAP authentication provides many benefits, including the easy synchronization of users from on-premises Active Directory (AD) to the Microsoft Entra ID LDAP Server, quick setup in the Microsoft Entra ID server, and increased reliability.

Note:

For more information about “LDAP authentication with Microsoft Entra ID,” refer to https://learn.microsoft.com/en-us/entra/architecture/auth-ldap.

Setup Secure LDAP for Microsoft Entra ID Domain Service

By following the steps below, you'll enable secure LDAP on Microsoft Entra ID and configure the required firewall rules and roles, ensuring secure and seamless authentication for your EnGenius Access Points.

To get started:

Sign in to the Microsoft Azure Admin console.
- Navigate to portal.azure.com and sign in with your credentials.
Enable the Microsoft Entra ID Secure LDAP Server.
- Follow the instructions provided in the Microsoft Entra ID documentation to enable the secure LDAP server.
(Optional) Configure an appropriate role for verifying user credentials.
- Specify a role that can read keys and values for the AP to verify users.
- For more information on Microsoft Entra built-in roles, see https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference.
Create a Firewall rule for the AP to query your Microsoft Entra ID Secure LDAP Server.
- Ensure TCP traffic direction is set to outgoing to port 636 of hostname ldaps.aaddscontoso.com (hostname and port from step 1).

Configure Microsoft Entra ID Authentication for SSID

By following the steps below, you can configure Microsoft Entra ID (Azure ID) authentication for your SSID, ensuring secure access to your wireless network.

Ensure your EnGenius Cloud APs have an active Pro License and that the Org AP feature plan is set to Pro. You can then configure them to use the Microsoft Entra ID (Azure AD) LDAP Server for WPA2/WPA3-Enterprise or Captive Portal authentication.

To get started:

Choose the SSID to Enable Azure AD Authentication.
- Go to Org / Network.
- Click the EnGenius WiFi in the SSID list.
Choose the Security Type and Authentication Type to apply for this SSID.
- Security Type: Click Wireless > Security Type > WPA2 or WPA3 Enterprise.
- Authentication Type: Click Captive Portal > Authentication Type > Azure AD.
Select Authenticate with Azure AD.
- Fill in the Host, Port, Account, and Password.
- Base DN (Optional): Starting point of the LDAP directory tree when the AP requests the search of the corresponding user’s credentials in the LDAP server. If the field is empty, the AP auto-detects the configuration from the Azure AD/Entra ID LDAP server. Otherwise, the user can set the specified Base DN string according to the Azure AD host. (Format: ou=AADDC Users,dc=engenius-azure,dc=ddns,dc=net).
- (Optional) Import the Authenticator certificate for customized content and domain.

Note:

The certificate is used between the Access Point and wireless client devices, like 802.1X with RADIUS Server.

Setup LDAP Profile on Client Devices

By following these steps, you can configure the LDAP profile on client devices to ensure proper authentication with the Entra ID (Azure AD) LDAP Server.

To allow client devices to authenticate with the Entra ID (Azure AD) LDAP Server, some devices, such as Android phones, require the installation of the Client’s Authentication (CA) Certificate (ca.pem). This certificate is needed for secure communication between the Access Point and client devices and can be exported via the EnGenius Cloud GUI.

To get started:

Client devices scan for the EnGenius WiFi SSID and connect to it.
The 802.1X page pops up and requests the Username and Password. (e.g., account@example.edu).
If the Certificate page pops up, click Trust.
For Android phones, it is required to specify the EAP method and Phase 2 authentication. Please refer to the following settings:
- EAP method: Select EAP-TTLS.
- Phase 2 authentication: Select PAP.
  - (Note: If PAP is not supported on client devices, GTC is an alternative option but may have compatibility issues on specific devices, e.g., Chromebook.)
- Domain (Optional): Enter the corresponding domain shown on Cloud GUI, e.g., engenius.ai (by default)
- Online Certificate Status: Choose Do not validate.
  - (Note: For Google Nexus devices, this option is not available. The certificate (ca.pem) must be installed.)

Appendix

Content

01. How to Generate Customized Certificate?

02. Supported Operating Systems and Models

03. Software Architecture

01. How to Generate Customized Certificate?

Several tools are available to create self-signed certificates. In this tutorial, we will use OpenSSL to create a self-signed certificate for secure LDAP.

To get started:

Generate the certificate:
- Download FreeRADIUS code from https://github.com/FreeRADIUS/freeradius-server/tree/master/raddb/certs.
- Navigate to the directory: cd raddb/cert/
- Adjust the customized information in the .cnf file (e.g., domain name, expiration duration, location, etc.).
- Run the bootstrap script: ./bootstrap
- Zip the certificate files: zip cert.zip server.pem dh ca.pem
Click Import and Zip File Upload to upload cert.zip to EnGenius Cloud.

Export ca.pem and install it on the client device if requested.

Note:

Some browsers might complain about the self-signed certificate and display a "Not Trusted" warning message. If so, the user needs to search for an official Certificate Authority (CA) to apply for a formal CA certificate to avoid the warning message.

02. Supported Operating Systems and Models

EAP-TTLS/PAP and TLS 1.2+ are essential on client devices. The following operating systems have native support and are verified to work with EnGenius Cloud AP:

iOS version 13 and higher
Google Chrome OS
Android version 6 and higher
Microsoft Windows 8 and higher
MacOS 11 and higher

Verified Client Device List:

03. Software Architecture

Captive portal with Azure AD Server

WPA2/WPA3-Enterprise with Azure AD Server

Troubleshooting

Chromebook Bug:

Issue: If a user selects an unsupported authentication method (e.g., EAP-TTLS + GTC) first and then switches to EAP-TTLS + PAP, they may encounter connection failures.
Solution: Delete the wireless profile and create a new one, selecting EAP-TTLS + PAP directly.

Samsung Devices:

Issue: Samsung devices require the Domain field to be filled in.
Solution: Ensure that the Domain field is completed during configuration.

Google Pixel:

Issue: Google Pixel devices require a certificate to be installed for authentication.
Solution: Follow the instructions provided by Google to install the necessary certificate. Refer to the Google Support page for detailed steps.