Authentication Providers

Authentication Providers define how users are allowed to authenticate on a Splash page.

Users will be allowed to use any available authentication method, and the Report will contain information which authentication provider has been used.

Create a New Authentication Provider

When your Captive Portal is created with IronWifi, you do not have any Authentication Providers. To create an Authentication Provider, click the “Add New” button at the top of the section. When you’re done entering information, click the blue “Create” button at the bottom of the Authentication Providers window.

IronWifi currently supports 11 methods on how to authenticate users via a Splash page:

Anonymous Registration

This provider creates a simple Click to Connect button and does not require the user to enter any additional information. Can be used to simply accept the Terms of Usage.

INPUTS:

tos Accepted Terms of Service

TARGET METHOD and URL:

POST to https://splash.ironwifi.com/api/signin/anonymousreg

Demo


One Time Access

Provider requires the user to provide valid email address to sign in.


Social Login – OAuth 2.0

Allows the user to sign in with their Social Network account. Supported providers include:

  • Google Apps
  • Facebook
  • Linked In
  • Twitter
  • Instagram

Client ID – IronWifi by default uses it’s own Social Login application when requesting access to user’s social profile. If you create your own application with supported Social Login providers, you can enter here your application’s Client ID number and your users will approve access to your application, instead of IronWifi.

Client Secret – Secret password linked to the Client ID. You will get this from your OAuth 2.0 provider after you create new Custom Application with them.


SAML 2.0 Single Sign-On

Allows to use existing SAML Identity Provider (IdP) to sign in with existing credentials. SAML IdPs confirmed to work with IronWifi are Google Apps, Okta, Ping Identity and Active Directory Federation Services

SSO URL – Single Sign-On URL provided by your SAML Identity Provider

IDP Entity ID – Entity identifier provided by your SAML Identity Provider

Certificate – public certificate in PEM format provided by SAML Identity Provider. This certificate is used for SAML message signature verification.

TARGET METHOD and URL:

POST to https://splash.ironwifi.com/api/signin/saml2

DEMO


SMS Registration

Temporary access code is sent to visitor’s phone number. This code will have the format defined in Guest Manager’s username section.

SMS Gateway – select an external SMS gateway that should be used to send access codes to your visitors. Currently supported are Twilio and Clickatell

Auth Token – authentication token used to access services of SMS gateway provider. This token is issued by your SMS gateway provider.

Sender’s Phone Number – if supported and configured by your SMS gateway provider, outgoing text messages will appear to be coming from this phone number.

Country Code – you can let your users enter the country code in the input field, or you can select a value that should be added to all provided phone numbers.

SMS Body – defines the format of sent text messages. ${sms_code} variable will be replaced with generated access code.

Code expiration in minutes – for security reasons, access codes have expiration time. The default value is 10 minutes.

Limit per phone number – maximum number of text messages that can be sent to provided phone number within the “Code expiration in minutes” time period.

Limit per client – maximum number of text messages that can be sent from a connecting device within the “Code expiration in minutes” time period.

INPUTS:

Step 1:

phone_number [Required] The user-friendly phone number that should receive the SMS code. If Country Code is not specified in Authentication Provider Settings, this number should include a country code.

Step 2:

sms_code [Required] Contains SMS code for validation

fullname – visitor’s full name

firstname – visitor’s first name

lastname – visitor’s last name

TARGET METHOD and URL:

POST to https://splash.ironwifi.com/api/signin/smsreg

DEMO


Paid Access

Allows integration with external transaction processing to sell internet access. Available Paid plans are defined in Hotspot Paid Plans section.

Transaction Processor – external credit card processor used to process payments from visitors. Currently supported is Stripe. Any collected payments will go directly to your Stripe account and IronWifi currently does not charge any extra processing fees.

Secret Key – authorization token provided by your Transaction Processor.

INPUTS:

email [Required] Visitor’s email address

card_number [Required] Credit card number

exp_year [Required] Credit card expiration year

exp_month [Required] Credit card expiration month

cvc [Required] Credit card security verification number

plan_quantity [Required] Number of units of selected plan

selected_plan [Required] ID of selected plan

TARGET METHOD and URL:

POST to https://splash.ironwifi.com/api/signin/hotspot

DEMO


Voucher Code

Allows visitors to sign in with pre-generated voucher codes. These codes can be created manually on the Users page (voucher = user with same username as password), or you can use our Voucher Generator to generate a set of voucher codes.

API endpoint – web server URL that shouldSingle Sign-On URL provided by your SAML Identity Provider

INPUTS:

voucher_code [Required] Contains voucher code for validation

TARGET METHOD and URL:

POST to https://splash.ironwifi.com/api/signin/voucher

DEMO


Guest Self-Registration

This method allows you to collect additional information from your Guests. Examples of collected information are full name, phone number and email address.

INPUTS:

fullname Contains guest’s full name

firstname Contains guest’s first name

lastname Contains guest’s last name

phone Contains guest’s phone number

email Contains guest’s email address

TARGET METHOD and URL:

POST to https://splash.ironwifi.com/api/signin/guestselfregister

DEMO


Self Registration

Allows creation of permanent user accounts that can be used to sign on the Splash page. This method is typically used in combination with “Local Account” authentication provider method.

INPUTS:

username [Required] Contains user’s username

password [Required] Contains user’s password in clear-text

fullname Contains user’s full name

firstname Contains user’s first name

lastname Contains user’s last name

phone Contains user’s phone number

email Contains user’s email address

 

TARGET METHOD and URL:

POST to https://splash.ironwifi.com/api/signin/selfregister

DEMO


Local Account

This method requires your users to sign in with an existing account.

INPUTS:

username [Required] Contains username for validation

password [Required] Contains password in clear-text for verification

TARGET METHOD and URL:

POST to https://splash.ironwifi.com/api/signin/localaccount

DEMO


REST API

External web server is used to verify provided information. JSON data will be forwarded to external API endpoint using the POST request method. This request will contain all information submitted by the user, and also parameters from the original request URL. Request is authorized using a secret Bearer authentication token.

User will be authorized if web server returns valid response with HTTP status code value between 200 and 299. If the status code is higher than 299, access will be denied.

API endpoint – web server URL that should receive authentication request

API token – bearer token, if defined, this authentication token will be included with all requests sent to external web server

INPUTS:

All input fields will be forwarded to external web server. These may include username, password, voucher , email etc.

TARGET METHOD and URL:

POST to https://splash.ironwifi.com/api/signin/rest

DEMO

Response Status Codes:

2** – return status code indicates success and sample body provides user attributes, access will be approved

HTTP/1.1 200 OK
{“valid_until”:”2017/01/10 01:59:59 +0000″,”valid_from”:”2017/01/09 02:03:52 +0000″,”nt_key”:”abcd12345″,”membership_id”:”`123456″,”membership”:{“name”:”John Sample”,”id”:”12345678″},”id”:”123456789abcdef”}

 

4** – return status code indicates failure and body provides error message, access will be denied

HTTP/1.1 422 Unprocessable Entity
{“errors”:[“Email/login or password incorrect.”]}

Employee Authorization

The visitor will be required to provide basic information and an Access Request email is sent for approval. The visitor will be authorized after the approver clicks the link contained in delivered request. Sent email can be White labeled to match your design.

Approver’s email address – this is the email address where Access Request emails should be delivered. If not defined, a visitor can enter the email address of visited person, and an email will be sent to this email address instead. For this to work, an input field with id “eaa_email” needs to be on the Splash page and user with same username or email address has to exist in IronWifi account.

Request expiration – access request can have an expiration time. You can define expiration period in minutes, or leave blank if the request should not expire.

INPUTS:

fullname visitor’s full name

email – visitor’s email address

firstname – visitor’s first name

lastname – visitor’s last name

phone – visitor’s phone number

approver_email – sponsor’s email address, domain address or leave empty. If you define an email address, all requests will be delivered to this email address. If you define a domain (eg @example.com), or multiple domains separated with commas, guest will have to enter email address that belongs to one of these domains (eg bill@example.com). If you leave this input field empty, guest can enter any email address but there has to be a valid user with the same email address defined in Console -> Users.

TARGET METHOD and URL:

POST to https://splash.ironwifi.com/api/signin/employeeauth

DEMO