Skip to main contentSkip to search
Skip to main content

Authentication Providers

Authentication providers determine how users log in to your captive portal. You can enable multiple providers (email, social login, SMS, vouchers, SAML, or payment) to give users options that match your venue and audience.

Quick Start

  1. Open your Captive Portal settings
  2. Navigate to Authentication Providers
  3. Click Add Provider
  4. Select provider type (Email, Social, SMS, etc.)
  5. Configure provider-specific settings
  6. Add required domains to your Walled Garden
  7. Test authentication flow

Provider Comparison

Choose the right authentication method for your use case:

ProviderUser FrictionData CollectedBest ForSetup Complexity
EmailLowEmail, optional nameMarketing, newslettersSimple
GoogleVery LowEmail, name, profileGeneral publicModerate
FacebookVery LowEmail, name, profileCafés, retailModerate
LinkedInLowEmail, name, companyBusiness venues, co-workingModerate
Twitter/XLowUsername, nameEvents, mediaModerate
AppleVery LowEmail (may be hidden)Privacy-conscious usersComplex
SMSMediumPhone numberHigh security, verificationModerate
VoucherLowNone (pre-registered)Hotels, events, controlled accessSimple
Username/PasswordMediumCredentialsReturning users, membershipSimple
SAML/SSOVery LowEnterprise profileCorporate, educationComplex
PaymentHighPayment + contact infoPaid WiFi, premium accessModerate

Quick Selection Guide

Maximize sign-ups (lowest friction):

  • Google + Facebook + Email

Collect marketing data:

  • Email (with custom fields) + Social login

Enterprise/Corporate:

  • SAML + Email (for visitors)

Hotels/Hospitality:

  • Voucher (room guests) + Payment (day visitors)

Events/Conferences:

  • Voucher (pre-registered) + SMS (walk-ins)

High security requirements:

  • SMS + SAML

Available Providers

Email Authentication

Users enter their email address to receive access or a verification link.

Configuration:

  • Enable email verification (sends confirmation link)
  • Set email validity period
  • Customize email template

Use cases:

  • Marketing data collection
  • Simple guest access
  • Email-based promotions

Email Template Customization

Customize the emails sent to users with HTML templates and variables.

Available Variables:

VariableDescription
{{username}}
User's email address
{{fullname}}
User's full name (if collected)
{{verification_link}}
Email verification URL
{{verification_code}}
Numeric verification code
{{network_name}}
WiFi network SSID
{{portal_name}}
Captive portal name
{{expiry_time}}
Link/code expiration time
{{company_name}}
Your company name

Welcome Email Template Example:

Password Reset Email Template:

Email Domain Restrictions

Control which email domains can register:

Allow List (Whitelist): Only allow specific domains (e.g., corporate emails only):

Block List (Blacklist): Block disposable/temporary email providers:

Configuration:

  1. Navigate to Captive Portal > Authentication Providers > Email
  2. Enable Domain Restrictions
  3. Select Allow List or Block List mode
  4. Enter domains (one per line)

Rate Limiting

Prevent abuse with rate limits:

SettingRecommended ValueDescription
Emails per address3 per hourPrevent spam to same address
Emails per IP10 per hourPrevent bulk registrations
Failed attempts5 per 15 minLock after failed verifications
Cooldown period15 minutesWait time after lockout

Social Login

Allow users to authenticate with their existing social accounts.

Supported Platforms:

  • Google
  • Facebook
  • LinkedIn
  • Twitter/X
  • Apple

Data Collected from Social Providers

Each provider returns different user data:

ProviderData AvailableNotes
GoogleEmail, Name, Profile Picture, LocaleMost reliable email verification
FacebookEmail, Name, Profile Picture, Age RangeEmail may require additional permission
LinkedInEmail, Name, Profile Picture, Company, PositionBest for B2B/professional venues
Twitter/XUsername, Name, Profile PictureEmail requires elevated access
AppleEmail, NameUsers can hide real email (relay address)

Data Mapping Configuration:

Map social provider data to IronWiFi user fields:

Setup Requirements:

  1. Create an OAuth app on the platform
  2. Configure redirect URIs
  3. Enter Client ID and Secret in IronWiFi

Detailed Setup Guides:

Google Login Setup

  1. Go to Google Cloud Console
  2. Create a new project or select existing
  3. Navigate to APIs & Services > Credentials
  4. Click Create Credentials > OAuth client ID
  5. Select Web application
  6. Add authorized redirect URI: 
    https://splash.ironwifi.com/api/signin/google/callback
  7. Copy Client ID and Client Secret
  8. In IronWiFi, add Google provider with these credentials

Walled Garden entries:

Facebook Login Setup

  1. Go to Facebook Developers
  2. Click My Apps > Create App
  3. Select Consumer or Business type
  4. Add Facebook Login product
  5. Navigate to Settings > Basic
  6. Copy App ID and App Secret
  7. In Facebook Login > Settings, add redirect URI:
  8. In IronWiFi, add Facebook provider with credentials

Walled Garden entries:

LinkedIn Login Setup

  1. Go to LinkedIn Developers
  2. Click Create App
  3. Fill in app details and verify your company page
  4. Navigate to Auth tab
  5. Add redirect URL:
  6. Copy Client ID and Client Secret
  7. Under Products, request access to Sign In with LinkedIn
  8. In IronWiFi, add LinkedIn provider with credentials

Walled Garden entries:

Apple Login Setup

  1. Go to Apple Developer
  2. Navigate to Certificates, Identifiers & Profiles
  3. Create an App ID with Sign In with Apple capability
  4. Create a Services ID for web authentication
  5. Configure the Services ID with your domain and redirect URL
  6. Create a Key for Sign In with Apple
  7. Download the key file (
    .p8
    )
  8. In IronWiFi, configure with Team ID, Key ID, Services ID, and key file

Walled Garden entries:

Twitter/X Login Setup

  1. Go to Twitter Developer Portal
  2. Create a new project and app
  3. Navigate to Keys and tokens
  4. Generate OAuth 2.0 Client ID and Client Secret
  5. In app settings, add callback URL: 
    https://splash.ironwifi.com/api/signin/twitter/callback
  6. Enable OAuth 2.0 with appropriate scopes
  7. In IronWiFi, add Twitter provider with credentials

Walled Garden entries:

SMS Verification

Users receive a verification code via text message.

Requirements:

  • SMS gateway integration (Twilio, Clickatell, etc.)
  • SMS credits/account balance

Twilio Setup

  1. Create account at Twilio
  2. Go to Console Dashboard
  3. Note your Account SID and Auth Token
  4. Navigate to Phone Numbers > Buy a Number
  5. Purchase a phone number with SMS capability
  6. In IronWiFi:
    • Select Twilio as SMS provider
    • Enter Account SID
    • Enter Auth Token
    • Enter From Number (your Twilio number, format: +1234567890)
  7. Configure message template (use 
    {{code}}
    for verification code)
  8. Set code expiration time (recommended: 5-10 minutes)

Example message template:

Walled Garden entries:

*.twilio.com

Clickatell Setup

  1. Create account at Clickatell
  2. Navigate to SMS > Create Integration
  3. Select REST API
  4. Copy your API Key
  5. In IronWiFi:
    • Select Clickatell as SMS provider
    • Enter API Key
    • Configure sender ID (if applicable)
  6. Set message template and expiration

Walled Garden entries:

*.clickatell.com

Configuration options:

  • Code length: 4-8 digits (default: 6)
  • Code expiration: 1-30 minutes
  • Retry limit: Maximum verification attempts
  • Phone number format: International format recommended

Voucher Codes

Pre-generated access codes for controlled distribution.

Configuration:

  • Enable voucher authentication
  • Set voucher validation rules
  • Configure input field appearance

See also: Vouchers

Username/Password

Traditional authentication against IronWiFi user database.

Configuration:

  • Enable username/password login
  • Optional: Allow self-registration
  • Optional: Enable password reset

SAML Single Sign-On

Enterprise authentication via SAML identity providers.

Supported IdPs:

  • Microsoft Entra ID
  • Okta
  • Google Workspace
  • OneLogin
  • Any SAML 2.0 compliant IdP

SAML URLs (from Captive Portal settings):

  • ACS URL (Assertion Consumer Service)
  • Logout URL
  • Entity ID

Microsoft Entra ID Setup (SAML)

  1. Go to Azure Portal > Microsoft Entra ID
  2. Navigate to Enterprise Applications > New Application
  3. Click Create your own application
  4. Name it "IronWiFi Captive Portal" and select non-gallery application
  5. Go to Properties and set User assignment required? to No
  6. Go to Single sign-on > Select SAML
  7. In Basic SAML Configuration:
    • Identifier (Entity ID): e.g., 
      https://us-west1.ironwifi.com/api/signin/saml2
    • Reply URL (ACS URL): e.g., 
      https://us-west1.ironwifi.com/api/signin/saml2?acs
    • Sign on URL: Your splash page URL
    • (Get exact URLs from IronWiFi Console > Captive Portals > Authentication Providers)
  8. Critical: In Attributes & Claims, click Unique User Identifier (Name ID):
    • Change Source attribute to user.mail
  9. Add additional claims: 
    • emailaddress
      → user.mail
    • givenname
      → user.givenname
    • surname
      → user.surname
  10. In SAML Signing Certificate, copy:
    • Login URL
    • Microsoft Entra Identifier
    • Certificate (Base64) - download and copy contents
  11. In IronWiFi, add SAML2 provider with:
    • SSO URL: Login URL from Azure
    • IDP Entity ID: Microsoft Entra Identifier
    • Certificate: Certificate content
    • NameID Format: 
      urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Walled Garden entries:

Microsoft Entra ID Setup (OAuth)

For simpler setup without SAML, use OAuth:

  1. Go to Azure Portal > Microsoft Entra ID > App registrations
  2. Click New registration
  3. Configure:
    • Name: IronWiFi OAuth
    • Redirect URI: 
      https://us-west1.ironwifi.com/api/signin/azure
      (adjust for your region)
  4. Copy the Application (client) ID
  5. Go to Certificates & secrets > New client secret
  6. Copy the secret value immediately
  7. Go to API permissions > Add Microsoft Graph > Delegated permissions: 
    • openid
      , 
      profile
      , 
      email
      , 
      User.Read
    • Click Grant admin consent if required
  8. In IronWiFi, add Social Login - OAuth 2.0 provider:
    • Provider: Azure
    • Client ID: Application ID
    • Client Secret: Secret value

Walled Garden entries: Same as SAML above

Okta Setup

  1. Go to Okta Admin Console
  2. Navigate to Applications > Create App Integration
  3. Select SAML 2.0 > Click Next
  4. Configure General Settings:
    • App name: IronWiFi Captive Portal
    • App logo: Optional
  5. Configure SAML Settings:
    • Single sign-on URL: ACS URL from IronWiFi
    • Audience URI (SP Entity ID): Entity ID from IronWiFi
    • Name ID format: EmailAddress
    • Application username: Email
  6. Add Attribute Statements: 
    • email
      → user.email
    • firstName
      → user.firstName
    • lastName
      → user.lastName
  7. Click Next > Finish
  8. Go to Sign On tab > View SAML setup instructions
  9. Copy Identity Provider SSO URL and Certificate to IronWiFi

Walled Garden entries:

Google Workspace Setup

  1. Go to Google Admin Console
  2. Navigate to Apps > Web and mobile apps
  3. Click Add app > Add custom SAML app
  4. Enter app name: "IronWiFi Captive Portal"
  5. Copy Google IdP information (SSO URL, Entity ID, Certificate)
  6. Configure Service Provider details:
    • ACS URL: From IronWiFi Captive Portal settings
    • Entity ID: From IronWiFi Captive Portal settings
    • Name ID format: EMAIL
    • Name ID: Basic Information > Primary email
  7. Add attribute mapping: 
    • email
      → Primary email
    • firstName
      → First name
    • lastName
      → Last name
  8. Click Finish
  9. Enable the app for your organizational units
  10. In IronWiFi, enter Google IdP details

Walled Garden entries:

OneLogin Setup

  1. Go to OneLogin Admin
  2. Navigate to Applications > Add App
  3. Search for "SAML Custom Connector" > Select it
  4. Configure:
    • Display Name: IronWiFi Captive Portal
    • Audience (EntityID): Entity ID from IronWiFi
    • ACS URL: ACS URL from IronWiFi
    • ACS URL Validator: Same as ACS URL (escaped)
  5. Go to SSO tab, copy:
    • SAML 2.0 Endpoint
    • X.509 Certificate
  6. Configure attribute mappings in Parameters tab
  7. In IronWiFi, enter OneLogin IdP details

Walled Garden entries:

*.onelogin.com

Payment Integration

Require payment for network access.

Supported Gateways:

  • Stripe
  • Braintree
  • PayPal

Stripe Setup

  1. Create account at Stripe
  2. Go to Developers > API keys
  3. Copy Publishable key and Secret key
  4. In IronWiFi Captive Portal settings:
    • Enable Payment provider
    • Select Stripe
    • Enter Publishable Key
    • Enter Secret Key
  5. Configure webhook (optional but recommended):
    • In Stripe: Developers > Webhooks > Add endpoint
    • URL: 
      https://splash.ironwifi.com/api/webhooks/stripe
    • Events: 
      payment_intent.succeeded
      , 
      payment_intent.payment_failed

Creating Access Plans:

  1. In IronWiFi, go to Access Plans
  2. Click Add Plan
  3. Configure:
    • Name: e.g., "1 Hour Access", "Day Pass"
    • Duration: Session length
    • Price: Amount in your currency
    • Bandwidth: Optional speed limits
    • Data cap: Optional data limit

Example plans:

PlanDurationPriceBandwidth
Quick Access1 hour$2.99Unlimited
Day Pass24 hours$9.99Unlimited
Week Pass7 days$29.99Unlimited
Premium24 hours$14.99100 Mbps

Walled Garden entries:

Braintree Setup

  1. Create account at Braintree
  2. Go to Settings > API
  3. Note your Merchant ID, Public Key, and Private Key
  4. In IronWiFi:
    • Enable Payment provider
    • Select Braintree
    • Enter credentials
    • Select environment (Sandbox for testing, Production for live)
  5. Configure accepted payment methods:
    • Credit/Debit cards
    • PayPal
    • Apple Pay
    • Google Pay

Walled Garden entries:

PayPal Setup

  1. Create business account at PayPal
  2. Go to Developer Dashboard
  3. Create an app under REST API apps
  4. Copy Client ID and Secret
  5. In IronWiFi:
    • Enable Payment provider
    • Select PayPal
    • Enter Client ID and Secret
    • Select environment (Sandbox/Live)

Walled Garden entries:

Payment Best Practices

  1. Test in sandbox first - Use test credentials before going live
  2. Clear pricing - Display all fees upfront
  3. Provide receipts - Enable email confirmations
  4. Handle failures gracefully - Show clear error messages
  5. Offer multiple plans - Give users options
  6. Consider refund policy - Document in terms of service

Provider Priority

When multiple providers are enabled, you can set the display order:

  1. Drag providers to reorder
  2. First provider appears most prominently
  3. Consider user preferences for your venue

Combining Providers

Common Combinations

Hotel/Hospitality:

  • Voucher (primary - included in room rate)
  • Payment (for extended access)

Café/Restaurant:

  • Email (simple, captures data)
  • Social login (faster)

Enterprise Guest:

  • SAML (employees)
  • Email (visitors)

Events:

  • Voucher (registered attendees)
  • SMS (walk-ins)

Custom Authentication

For advanced needs, implement custom authentication:

REST API Provider

Authenticate against your own backend:

Response: Return HTTP 200 for success, 401 for failure.

Walled Garden Requirements

Each provider may require specific domains in your Walled Garden:

ProviderRequired Domains
Googleaccounts.google.com, googleapis.com
Facebookfacebook.com, fbcdn.net
SMSYour SMS provider's domains
PaymentStripe.com, Braintree domains

See Walled Garden Guide for complete lists.

Best Practices

  1. Minimize friction - Fewer steps = higher completion
  2. Match your audience - Business events may prefer LinkedIn, cafés may prefer email
  3. Always have a fallback - Offer at least two options
  4. Test thoroughly - Verify all providers work on different devices
  5. Consider privacy - Be transparent about data collection

Troubleshooting

OAuth Error: Redirect URI Mismatch

The redirect URI in your OAuth app doesn't match IronWiFi's expected URI.

Solution: Verify the exact redirect URI from your IronWiFi Captive Portal settings and update your OAuth app configuration.

Social Login Button Not Appearing

Causes:

  • Provider not enabled
  • Missing API credentials
  • JavaScript errors

Solution: Check browser console for errors, verify credentials are entered correctly.

"Access Denied" After Social Login

Causes:

  • OAuth app not approved/published
  • Missing required scopes
  • Account restrictions

Solution: Ensure your OAuth app is in production mode (not development/testing only).

Quick Reference

Walled Garden Cheat Sheet

Copy these entries based on your enabled providers:

Setup Checklist

Use this checklist when configuring a new authentication provider:

  • Create OAuth app / API account on provider platform
  • Copy credentials (Client ID, Secret, API Key)
  • Enter credentials in IronWiFi Captive Portal settings
  • Add required domains to Walled Garden
  • Configure redirect URI (if OAuth)
  • Set to Production mode (not Sandbox/Development)
  • Test on desktop browser
  • Test on iOS device (in CNA and Safari)
  • Test on Android device
  • Verify user data is being collected

Frequently Asked Questions

Q: How many authentication providers can I enable on a single captive portal?

You can enable as many providers as needed. Users see all enabled options on the splash page. Drag providers to reorder them — the first provider appears most prominently. Common combinations include Google + Email for public venues or Voucher + Payment for hotels.

Q: Why does social login fail with a "redirect URI mismatch" error?

The redirect URI configured in your OAuth app (Google, Facebook, LinkedIn, etc.) does not match the URI expected by IronWiFi. Check your IronWiFi Captive Portal settings for the exact redirect URI, then update your OAuth app configuration to match. The URIs must be identical, including the protocol (https) and path.

Q: Do I need to add walled garden entries for every authentication provider?

Yes. Unauthenticated users cannot reach any external domains by default. Each provider's OAuth or API domains must be added to the walled garden (pre-authorization access list) on your access point or controller. Without these entries, users cannot reach the login pages for social providers, SMS verification, or payment gateways.

Q: Can I use Microsoft Entra ID for both employee SAML login and guest access?

Yes. Configure SAML as a provider for employees who authenticate via their corporate Entra ID accounts. Add a separate Email or Social Login provider for visitors who do not have corporate credentials. Both providers can be active simultaneously on the same captive portal.

Q: How do I set up paid WiFi with different access tiers?

Enable a payment provider (Stripe, Braintree, or PayPal), then create multiple access plans with different durations, prices, and bandwidth limits. For example, offer a $2.99 one-hour pass and a $9.99 day pass. Users choose their plan on the splash page and pay before gaining access.

Was this page helpful?