Okta Integration

Connect IronWiFi to Okta to let users authenticate to WiFi using their Okta credentials. This guide covers SAML setup for captive portals, user synchronization, and RADIUS integration for WPA-Enterprise networks.

Features

SAML Single Sign-On - Enterprise SSO for captive portals
User Synchronization - Import users from Okta directory
Group Synchronization - Sync Okta groups to IronWiFi
RADIUS Authentication - WPA-Enterprise with Okta credentials

Prerequisites

Okta administrator account
IronWiFi account
Okta plan that supports SAML (most plans)

SAML Single Sign-On (Captive Portal)

Use Okta SAML for captive portal authentication.

Step 1: Get IronWiFi SAML URLs

Log into IronWiFi Console
Navigate to Networks > Captive Portals
Select your captive portal (or create one)
Expand Authentication Providers
Click Add Provider > SAML2 Single Sign-on

Note these values (you'll need them for Okta):

Entity ID (e.g.,

https://us-west1.ironwifi.com/api/signin/saml2

)

ACS URL (e.g.,

https://us-west1.ironwifi.com/api/signin/saml2?acs

)

Region-specific URLs:

US West:
```
us-west1.ironwifi.com
```
Europe West:
```
europe-west2.ironwifi.com
```
Global/Default:
```
splash.ironwifi.com
```

Step 2: Create Okta Application

Log into Okta Admin Console
Navigate to Applications > Applications
Click Create App Integration
Select SAML 2.0
Click Next

Step 3: Configure General Settings

App name: IronWiFi Captive Portal
App logo: Upload logo (optional)
Click Next

Step 4: Configure SAML Settings

Enter these values:

Field	Value
Single sign-on URL	`https://us-west1.ironwifi.com/api/signin/saml2?acs` (use your region)
Audience URI (SP Entity ID)	`https://us-west1.ironwifi.com/api/signin/saml2` (use your region)
Default RelayState	Leave blank
Name ID format	EmailAddress
Application username	Email

Important

Change the base URL from the default to match your IronWiFi region:

```
us-west1
```
for US West
```
europe-west2
```
for Europe
```
splash
```
for Global/Default

Step 5: Configure Attribute Statements

Add these attribute statements:

Name	Name format	Value
email	Unspecified	user.email
firstName	Unspecified	user.firstName
lastName	Unspecified	user.lastName

Click Next, then Finish.

Step 6: Get Okta SAML Metadata

In the application, click Sign On tab
Scroll to SAML Signing Certificates
Click Actions > View IdP metadata for the active certificate
Copy or download the metadata XML

Alternatively, note these values manually:

Identity Provider SSO URL (e.g.,

https://your-domain.okta.com/app/xxx/sso/saml

)

Identity Provider Issuer (Entity ID)
X.509 Certificate - Download the certificate

Step 7: Configure IronWiFi

Return to IronWiFi Console > Captive Portals > your portal
In the SAML2 provider you created, enter:

IronWiFi Field	Okta Value
SSO URL	Identity Provider SSO URL
IDP Entity ID	Identity Provider Issuer
Certificate	X.509 Certificate content
NameID Format	`urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`

Click Save

Step 8: Assign Users in Okta

In Okta, go to the IronWiFi application
Click Assignments tab
Click Assign > Assign to People or Assign to Groups
Select users or groups
Click Done

Step 9: Configure Walled Garden

Add these Okta domains to your access point's walled garden:

*.okta.com
*.oktacdn.com
login.okta.com
your-domain.okta.com
your-domain.oktapreview.com

Replace

your-domain

with your actual Okta subdomain.

Step 10: Test SAML Authentication

Connect to your WiFi network
The captive portal should appear
Click the Okta/SSO login button
Enter Okta credentials
Verify successful authentication and internet access

User Synchronization (Connector)

Import users from Okta for RADIUS authentication or pre-provisioning.

Step 1: Generate Okta API Token

In Okta Admin Console, navigate to Security > API
Click Tokens tab
Click Create Token
Name: "IronWiFi Connector"
Click Create Token
Copy the token immediately (it won't be shown again)

Step 2: Create IronWiFi Connector

In IronWiFi Console, navigate to Users > Connectors
Click New Connector
Select Okta
Configure:
- Name: Okta Directory
- Domain:
```
your-domain.okta.com
```
  (your Okta domain)
- API Token: Paste the token from Step 1
- User Filter:
```
status eq "ACTIVE"
```
  (optional, syncs only active users)

Step 3: Select Groups to Sync

After saving, click Configure or Edit
Select which Okta groups to import
Configure sync options:
- Auto-sync: Enable for scheduled sync
- Sync interval: Hourly, daily, etc.
Click Save

Step 4: Run Initial Sync

Click Sync Now
Monitor progress
Review imported users in Users section

Group Mapping

Map Okta groups to IronWiFi groups for VLAN assignment and policies:

In the connector, navigate to Group Mapping
Add mapping rules:
- Okta Group → IronWiFi Group
- Example: "WiFi-Employees" → "Corporate VLAN"
Enable Auto-create groups if needed
Save and run sync

RADIUS Authentication

For WPA-Enterprise using Okta credentials:

Option 1: Okta RADIUS Agent

Download Okta RADIUS Server Agent from Okta
Install on a Windows server in your network
In Okta, navigate to Security > Multifactor > RADIUS
Configure the RADIUS application
In IronWiFi, configure RADIUS proxy to your Okta RADIUS agent

Option 2: IronWiFi with Synced Users

Sync users from Okta to IronWiFi (see User Synchronization above)
Configure authentication method:
- Generated Passwords: IronWiFi creates unique passwords
- Client Certificates: EAP-TLS with SCEP

Client Configuration

Configure devices for WPA-Enterprise:

Security: WPA2-Enterprise
EAP Method: PEAP
Inner Authentication: MSCHAPv2
Identity: user@domain.com (Okta email)

Troubleshooting

SAML Errors

Invalid Signature:

Re-download certificate from Okta
Verify certificate hasn't expired
Check certificate format (PEM/X.509)

User Not Found:

Verify user is assigned to the app in Okta
Check NameID format is EmailAddress
Confirm attribute mapping includes email

SAML Response Error:

Verify Entity ID matches exactly
Check ACS URL uses correct region
Ensure Okta app is active

Sync Issues

No Users Imported:

Verify API token is valid and not expired
Check token has read permissions
Test network connectivity to Okta

Partial Sync:

Review user filter settings
Check group selection
Verify users are active in Okta

Walled Garden Issues

Okta Login Page Not Loading:

Verify all Okta domains are in walled garden
Check for typos in domain names
Add
```
*.oktacdn.com
```
for static assets

Best Practices

Use groups - Manage access via Okta groups, not individual users
Enable auto-sync - Keep users current with scheduled sync
Monitor token expiration - Okta API tokens can expire
Test with pilot group - Verify with small group before full rollout
Document configuration - Record all settings for disaster recovery
Use MFA - Enable Okta MFA for additional security
Review logs - Monitor authentication logs for issues

Was this page helpful?

Features​

Prerequisites​

SAML Single Sign-On (Captive Portal)​

Step 1: Get IronWiFi SAML URLs​

Step 2: Create Okta Application​

Step 3: Configure General Settings​

Step 4: Configure SAML Settings​

Step 5: Configure Attribute Statements​

Step 6: Get Okta SAML Metadata​

Step 7: Configure IronWiFi​

Step 8: Assign Users in Okta​

Step 9: Configure Walled Garden​

Step 10: Test SAML Authentication​

User Synchronization (Connector)​

Step 1: Generate Okta API Token​

Step 2: Create IronWiFi Connector​

Step 3: Select Groups to Sync​

Step 4: Run Initial Sync​

Group Mapping​

RADIUS Authentication​

Option 1: Okta RADIUS Agent​

Option 2: IronWiFi with Synced Users​

Client Configuration​

Troubleshooting​

SAML Errors​

Sync Issues​

Walled Garden Issues​

Best Practices​

Related Documentation​