Configure promptless Captive Portal using SAML and Auth Connector as the IDP

book

Article ID: 166784

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

  • You want to configure promptless Captive Portal using Security Assertion Markup Language (SAML) and Auth Connector as the Identity Provider (IDP).
  • When you use the Auth Connector as the IDP (and you enable the SAML option for Captive Portal), then this configuration is a promptless type of Captive Portal.

Resolution

The Auth Connector has to be installed (or reinstalled) to enable the SAML options for Auth Connector-as-IDP, and have the IDP certificates generated. And SAML has to be set up.

The promptless capability is provided by Windows Kerberos/NTLM SSO transactions.

Firefox browsers, however, do NOT support Kerberos/NTLM SSO transactions by default. However, you can configure this ability by a Firefox config setting.

How to Enable NTLM SSO in Firefox: 

  1. In Firefox, type: about:config
  2. Find the section: network.automatic-ntlm-auth.trusted-uris
  3. Enter URI's (separated by a comma *and* a space) of your Windows Server where the BCCA-as-IDP is running, like: 
WIN-0AZ7JK7JKDN.bc.lab.local, WIN-0AZ7JK7JKDN
 
No further action is needed in Chrome or Internet Explorer (Support for Kerberos/NTLM SSO transactions is on by default).
 
Important:

With Captive Portal for Explicit Proxy, one of the most common hang-ups is to forget to add the IDP’s hostname to be EXCLUDED from Explicit Proxy (being sent to Cloud).

The traffic between the browser and the IDP should NOT go through the Cloud.