1. Help Center
  2. Captive Portals

Authentication Providers

Description of each authentication provider IronWiFi provides

Authentication Providers define how users are allowed to authenticate on a Splash page.

Users will be allowed to use any available authentication method, and the Report will contain information about the authentication provider.

Add a New Authentication Provider

When your first create a Captive Portal, you do not have any Authentication Providers defined. To add an Authentication Provider, click the “Add New” button at the top of the section. When you finish entering information, click the blue "Add Provider" button at the bottom of the Authentication Providers window.

IronWiFi currently supports 11 methods on how to authenticate users via a Splash page:

  • Anonymous Access
  • Social Login - OAuth 2.0
  • SAML 2.0 - Single Sign-On
  • Paid Access
  • Voucher Code
  • Guest Access
  • Self Registration
  • Local Account
  • Sponsored Access
  • SMS One Time Password

Anonymous Access

This provider creates a simple Click to Connect button and does not require the user to enter any additional information. It can be used to accept the Terms of Usage.


tos Accepted Terms of Service


POST to https://splash.ironwifi.com/api/signin/anonymousreg


Social Login - OAuth 2.0

It allows the user to sign in with their Social Network account. Supported providers include:

  • Google Apps
  • Facebook
  • Linked In
  • Twitter
  • Instagram

Client ID - IronWiFi by default, uses its own Social Login application when requesting access to the user's social profile. If you create your app with supported Social Login providers, you can enter here your application's Client ID number, and your users will approve access to your use, instead of IronWiFi.

Client Secret - password linked to the Client ID. You will get this from your OAuth 2.0 provider after you create a new Custom Application with them.


SAML 2.0 Single Sign-On

Allows using existing SAML Identity Provider (IdP) to sign in with existing credentials. SAML IdPs confirmed to work with our platform are Google AppsOktaPing Identity, and Active Directory Federation Services

SSO URL - Single Sign-On URL provided by your SAML Identity Provider

IDP Entity ID - Entity identifier provided by your SAML Identity Provider

Certificate - public certificate in PEM format provided by SAML Identity Provider. We use this certificate to verify the SAML message signature.


POST to https://splash.ironwifi.com/api/signin/saml2


Paid Access

Allows integration with external transaction processing to sell internet access. Available Paid plans are defined in the Hotspot Paid Plans section.

Transaction Processor - external credit card processor used to process payments from visitors. Currently supported is Stripe. Any collected payments will go directly to your Stripe account, and IronWiFi now does not charge any extra processing fees.

Secret Key - authorization token that was provided by your Transaction Processor.


email [Required] Visitor's email address

card_number [Required] Credit card number

exp_year [Required] Credit card expiration year

exp_month [Required] Credit card expiration month

cvc [Required] Credit card security verification number

name [Optional] Cardholder name

address_line1 [Optional] Billing address line 1

address_line2 [Optional] Billing address line 2

address_city [Optional] Billing address city

address_state [Optional] Billing address state

address_zip [Optional] Billing ZIP code as a string (e.g., "94301")

address_country [Optional] Billing address country

plan_quantity [Required] Number of units of selected plan

selected_plan [Required] ID of the selected plan


POST to https://splash.ironwifi.com/api/signin/hotspot


Voucher Code

It allows visitors to sign in with pre-generated voucher codes. These codes can be created manually on the Users page (voucher = user with the same username as password), or you can use our Voucher Generator to generate a set of voucher codes.


voucher_code [Required] Contains voucher code for validation

email [Optional] Visitors email address

phone_number [Optional]

firstname [Optional]

lastname [Optional]

fullname [Optional]

opt_in [Optional] - Visitors want's to join the mailing list



POST to https://splash.ironwifi.com/api/signin/voucher


Guest Access

This method allows you to collect additional information from your Guests. Examples of collected data are full name, phone number, and email address.


fullname Contains guest's full name

firstname Contains guest's first name

lastname Contains guest's last name

phone Contains guest's phone number

email Contains guest's email address


POST to https://splash.ironwifi.com/api/signin/guestselfregister


Self Registration

It allows the creation of permanent user accounts that can be used to sign on to the Splash page. Usually, customers use this method in combination with the "Local Account" authentication provider method.


username [Required] Contains user's username

password [Required] Contains user's password in clear-text

fullname Contains user's full name

firstname Contains user's first name

lastname Contains user's last name

phone Contains user's phone number

email Contains user's email address


POST to https://splash.ironwifi.com/api/signin/selfregister


Local Account

This method requires your users to sign in with an existing account.


username [Required] Contains username for validation

password [Required] Contains password in clear-text for verification


POST to https://splash.ironwifi.com/api/signin/localaccount



The external web server is used to verify the provided information. JSON data will be forwarded to the external API endpoint using the POST request method. This request will contain all information submitted by the user, and also parameters from the original request URL. Our communication is authorized using a secret Bearer authentication token.

Users will be authorized if a web server returns a correct response with an HTTP status code value between 200 and 299. If the status code is higher than 299, we decline the access request.

API endpoint - web server URL that should receive an authentication request

API token - bearer token, if defined, this authentication token will be included with all requests sent to the external web server


We POST all input fields to the external web server. These may include username, password, voucher, email, etc.


POST to https://splash.ironwifi.com/api/signin/rest


Response Status Codes:

2** – return status code indicates success, and the sample body provides user attributes, and access will be approved

HTTP/1.1 200 OK
{“valid_until”:”2017/01/10 01:59:59 +0000″,”valid_from”:”2017/01/09 02:03:52 +0000″,”nt_key”:”abcd12345″,”membership_id”:”`123456″,”membership”:{“name”:”John Sample”,”id”:”12345678″},”id”:”123456789abcdef”}

4** – return status code indicates failure and body provides an error message, and we reject the access request

HTTP/1.1 422 Unprocessable Entity
{“errors”:[“Email/login or password incorrect.”]}

Sponsored Access

The visitor will be required to provide the necessary information, and we will send an Access-Request email for approval. The visitor will be authorized after the approver clicks the link contained in the delivered request. This email can be White labeled to match your design.

Approver's email address - this is the email address where Access Request emails should be delivered. If not defined, a visitor can enter the email address of the visited person, and an email will be sent to this email address instead. For this to work, an input field with id "eaa_email" needs to be on the Splash page, and a user with the same username or email address has to exist in the IronWiFi account.

Request expiration - access requests can have an expiration time. You can define the expiration period in minutes, or leave it blank if this request should not expire.


fullname visitor's full name

email - visitor's email address

firstname - visitor's first name

lastname - visitor's last name

phone - visitor's phone number

approver_email - Sponsor's email address, domain address, or leave empty. If you define an email address, we will send all requests to this email address. If you set a domain (e.g., @example.com), or multiple domains separated with commas, the guest will have to enter the email address that belongs to one of these domains (e.g., bill@example.com). If you leave this input field empty, the guest can enter any email address, but there has to be a valid user with the same email address defined in Console -> Users.

approver_email - SELF: If SELF is used to define the approver email, the guest will receive an email to the email address they entered. This email will contain a link to approve access. This method is useful if you want to verify email addresses.


POST to https://splash.ironwifi.com/api/signin/employeeauth


SMS One Time Password

We will send a temporary access code to the visitor's phone number. This code will have the format defined in the Guest Manager username section.

SMS Gateway - select an external SMS gateway that should be used to send access codes to your visitors. Currently supported are Twilio and Clickatell

Auth Token - authentication token used to access the services of an SMS gateway provider. Your SMS gateway provider issues this token.

Sender's Phone Number - if supported and configured by your SMS gateway provider, outgoing text messages will appear to be coming from this phone number.

Country Code - you can let your users enter the country code in the input field, or you can select a value that we will add to all phone numbers.

SMS Body - defines the format of sent text messages. We will replace variable ${sms_code} with the generated access code.

Code expiration in minutes - for security reasons, access codes have an expiration time. The default value is 10 minutes.

Limit per phone number - within the "Code expiration in minutes" period, we will send maximum this number of text messages to a provided phone number.

Limit per client - within the "Code expiration in minutes" period, we will send maximum this number of text messages from the same connected client device.


Step 1:

phone_number [Required] The user-friendly phone number that should receive the SMS code. If you don't specify a Country Code in Authentication Provider Settings, this number should include a country code.

prefix We will prepend this country code to the phone number.

Step 2:

sms_code [Required] Contains SMS code for validation

fullname - visitor's full name

firstname - visitor's first name

lastname - visitor's last name


POST to https://splash.ironwifi.com/api/signin/smsreg