Configure promptless Captive Portal using SAML and Auth Connector as the IDP
Article ID: 166784
Updated On:
Products
Cloud Secure Web Gateway - Cloud SWG
Issue/Introduction
- You want to configure promptless Captive Portal using Security Assertion Markup Language (SAML) and Auth Connector as the Identity Provider (IDP).
- When you use the Auth Connector as the IDP (and you enable the SAML option for Captive Portal), then this configuration is a promptless type of Captive Portal.
Resolution
The Auth Connector has to be installed (or reinstalled) to enable the SAML options for Auth Connector-as-IDP, and have the IDP certificates generated. And SAML has to be set up.
- For more info on how to install Auth Connector as a SAML IDP, please go to About the Auth Connector as a SAML IDP
The promptless capability is provided by Windows Kerberos/NTLM SSO transactions.
Firefox browsers, however, do NOT support Kerberos/NTLM SSO transactions by default. However, you can configure this ability by a Firefox config setting.
How to Enable NTLM SSO in Firefox:
- In Firefox, type: about:config
- Find the section: network.automatic-ntlm-auth.trusted-uris
- Enter URI's (separated by a comma *and* a space) of your Windows Server where the BCCA-as-IDP is running, like:
WIN-0AZ7JK7JKDN.bc.lab.local, WIN-0AZ7JK7JKDN
No further action is needed in Chrome or Internet Explorer (Support for Kerberos/NTLM SSO transactions is on by default).
Important:
With Captive Portal for Explicit Proxy, one of the most common hang-ups is to forget to add the IDP’s hostname to be EXCLUDED from Explicit Proxy (being sent to Cloud).
The traffic between the browser and the IDP should NOT go through the Cloud.
Feedback
Yes
No
Powered by
