Authentication Providers

Authentication providers determine how users log in to your captive portal. You can enable multiple providers (email, social login, SMS, vouchers, SAML, or payment) to give users options that match your venue and audience.

Quick Start

1. Open your Captive Portal settings
2. Navigate to Authentication Providers
3. Click Add Provider
4. Select provider type (Email, Social, SMS, etc.)
5. Configure provider-specific settings
6. Add required domains to your Walled Garden
7. Test authentication flow

Provider Comparison

Choose the right authentication method for your use case:

Provider	User Friction	Data Collected	Best For	Setup Complexity
Email	Low	Email, optional name	Marketing, newsletters	Simple
Google	Very Low	Email, name, profile	General public	Moderate
Facebook	Very Low	Email, name, profile	Cafés, retail	Moderate
LinkedIn	Low	Email, name, company	Business venues, co-working	Moderate
Twitter/X	Low	Username, name	Events, media	Moderate
Apple	Very Low	Email (may be hidden)	Privacy-conscious users	Complex
SMS	Medium	Phone number	High security, verification	Moderate
Voucher	Low	None (pre-registered)	Hotels, events, controlled access	Simple
Username/Password	Medium	Credentials	Returning users, membership	Simple
SAML/SSO	Very Low	Enterprise profile	Corporate, education	Complex
Payment	High	Payment + contact info	Paid WiFi, premium access	Moderate

Quick Selection Guide

Maximize sign-ups (lowest friction):

• Google + Facebook + Email

Collect marketing data:

• Email (with custom fields) + Social login

Enterprise/Corporate:

• SAML + Email (for visitors)

Hotels/Hospitality:

• Voucher (room guests) + Payment (day visitors)

Events/Conferences:

• Voucher (pre-registered) + SMS (walk-ins)

High security requirements:

• SMS + SAML

---

Available Providers

Email Authentication

Users enter their email address to receive access or a verification link.

Configuration:

• Enable email verification (sends confirmation link)
• Set email validity period
• Customize email template

Use cases:

• Marketing data collection
• Simple guest access
• Email-based promotions

Email Template Customization

Customize the emails sent to users with HTML templates and variables.

Available Variables:

Variable	Description
{{username}}	User's email address
{{fullname}}	User's full name (if collected)
{{verification_link}}	Email verification URL
{{verification_code}}	Numeric verification code
{{network_name}}	WiFi network SSID
{{portal_name}}	Captive portal name
{{expiry_time}}	Link/code expiration time
{{company_name}}	Your company name

Welcome Email Template Example:

<!DOCTYPE html>
<html>
<head>
  <style>
    body { font-family: Arial, sans-serif; line-height: 1.6; color: #333; }
    .container { max-width: 600px; margin: 0 auto; padding: 20px; }
    .header { background: #0066cc; color: white; padding: 20px; text-align: center; }
    .content { padding: 30px; background: #f9f9f9; }
    .button { display: inline-block; padding: 12px 30px; background: #0066cc;
              color: white; text-decoration: none; border-radius: 5px; }
    .footer { padding: 20px; text-align: center; font-size: 12px; color: #666; }
  </style>
</head>
<body>
  <div class="container">
    <div class="header">
      <h1>Welcome to {{network_name}}</h1>
    </div>
    <div class="content">
      <p>Hello {{fullname}},</p>
      <p>Thank you for connecting to our WiFi network. Please verify your email
         address to complete your registration.</p>
      <p style="text-align: center; margin: 30px 0;">
        <a href="{{verification_link}}" class="button">Verify Email</a>
      </p>
      <p>Or enter this code on the login page: <strong>{{verification_code}}</strong></p>
      <p>This link expires in {{expiry_time}}.</p>
    </div>
    <div class="footer">
      <p>&copy; {{company_name}} | <a href="{{privacy_url}}">Privacy Policy</a></p>
    </div>
  </div>
</body>
</html>

Password Reset Email Template:

<!DOCTYPE html>
<html>
<head>
  <style>
    body { font-family: Arial, sans-serif; line-height: 1.6; }
    .container { max-width: 600px; margin: 0 auto; padding: 20px; }
    .alert { background: #fff3cd; border: 1px solid #ffc107; padding: 15px;
             border-radius: 5px; margin: 20px 0; }
  </style>
</head>
<body>
  <div class="container">
    <h2>Password Reset Request</h2>
    <p>Hello {{username}},</p>
    <p>We received a request to reset your password for {{network_name}}.</p>
    <p style="text-align: center; margin: 30px 0;">
      <a href="{{reset_link}}" style="display: inline-block; padding: 12px 30px;
         background: #dc3545; color: white; text-decoration: none; border-radius: 5px;">
        Reset Password
      </a>
    </p>
    <div class="alert">
      <strong>Didn't request this?</strong> You can safely ignore this email.
      Your password will not be changed.
    </div>
    <p>This link expires in 1 hour.</p>
  </div>
</body>
</html>

Email Domain Restrictions

Control which email domains can register:

Allow List (Whitelist): Only allow specific domains (e.g., corporate emails only):

example.com
company.org
partner.net

Block List (Blacklist): Block disposable/temporary email providers:

mailinator.com
tempmail.com
guerrillamail.com
10minutemail.com
throwaway.email

Configuration:

1. Navigate to Captive Portal > Authentication Providers > Email
2. Enable Domain Restrictions
3. Select Allow List or Block List mode
4. Enter domains (one per line)

Rate Limiting

Prevent abuse with rate limits:

Setting	Recommended Value	Description
Emails per address	3 per hour	Prevent spam to same address
Emails per IP	10 per hour	Prevent bulk registrations
Failed attempts	5 per 15 min	Lock after failed verifications
Cooldown period	15 minutes	Wait time after lockout

Social Login

Allow users to authenticate with their existing social accounts.

Supported Platforms:

• Google
• Facebook
• LinkedIn
• Twitter/X
• Apple

Data Collected from Social Providers

Each provider returns different user data:

Provider	Data Available	Notes
Google	Email, Name, Profile Picture, Locale	Most reliable email verification
Facebook	Email, Name, Profile Picture, Age Range	Email may require additional permission
LinkedIn	Email, Name, Profile Picture, Company, Position	Best for B2B/professional venues
Twitter/X	Username, Name, Profile Picture	Email requires elevated access
Apple	Email, Name	Users can hide real email (relay address)

Data Mapping Configuration:

Map social provider data to IronWifi user fields:

Google:
  email         → username
  given_name    → first_name
  family_name   → last_name
  picture       → avatar_url
  locale        → language

LinkedIn:
  emailAddress  → username
  firstName     → first_name
  lastName      → last_name
  profilePicture → avatar_url
  positions     → company (latest)

Setup Requirements:

1. Create an OAuth app on the platform
2. Configure redirect URIs
3. Enter Client ID and Secret in IronWifi

Detailed Setup Guides:

Google Login Setup

1. Go to Google Cloud Console
2. Create a new project or select existing
3. Navigate to APIs & Services > Credentials
4. Click Create Credentials > OAuth client ID
5. Select Web application
6. Add authorized redirect URI: https://splash.ironwifi.com/api/signin/google/callback
7. Copy Client ID and Client Secret
8. In IronWifi, add Google provider with these credentials

Walled Garden entries:

accounts.google.com
*.googleapis.com
*.gstatic.com

Facebook Login Setup

1. Go to Facebook Developers
2. Click My Apps > Create App
3. Select Consumer or Business type
4. Add Facebook Login product
5. Navigate to Settings > Basic
6. Copy App ID and App Secret
7. In Facebook Login > Settings, add redirect URI: https://splash.ironwifi.com/api/signin/facebook/callback
8. In IronWifi, add Facebook provider with credentials

Walled Garden entries:

facebook.com
*.facebook.com
*.fbcdn.net
connect.facebook.net

LinkedIn Login Setup

1. Go to LinkedIn Developers
2. Click Create App
3. Fill in app details and verify your company page
4. Navigate to Auth tab
5. Add redirect URL: https://splash.ironwifi.com/api/signin/linkedin/callback
6. Copy Client ID and Client Secret
7. Under Products, request access to Sign In with LinkedIn
8. In IronWifi, add LinkedIn provider with credentials

Walled Garden entries:

linkedin.com
*.linkedin.com
*.licdn.com

Apple Login Setup

1. Go to Apple Developer
2. Navigate to Certificates, Identifiers & Profiles
3. Create an App ID with Sign In with Apple capability
4. Create a Services ID for web authentication
5. Configure the Services ID with your domain and redirect URL
6. Create a Key for Sign In with Apple
7. Download the key file (.p8)
8. In IronWifi, configure with Team ID, Key ID, Services ID, and key file

Walled Garden entries:

appleid.apple.com
*.apple.com
*.icloud.com

Twitter/X Login Setup

1. Go to Twitter Developer Portal
2. Create a new project and app
3. Navigate to Keys and tokens
4. Generate OAuth 2.0 Client ID and Client Secret
5. In app settings, add callback URL: https://splash.ironwifi.com/api/signin/twitter/callback
6. Enable OAuth 2.0 with appropriate scopes
7. In IronWifi, add Twitter provider with credentials

Walled Garden entries:

twitter.com
*.twitter.com
*.twimg.com
x.com
*.x.com

SMS Verification

Users receive a verification code via text message.

Requirements:

• SMS gateway integration (Twilio, Clickatell, etc.)
• SMS credits/account balance

Twilio Setup

1. Create account at Twilio
2. Go to Console Dashboard
3. Note your Account SID and Auth Token
4. Navigate to Phone Numbers > Buy a Number
5. Purchase a phone number with SMS capability
6. In IronWifi:
   • Select Twilio as SMS provider
   • Enter Account SID
   • Enter Auth Token
   • Enter From Number (your Twilio number, format: +1234567890)
7. Configure message template (use {{code}} for verification code)
8. Set code expiration time (recommended: 5-10 minutes)

Example message template:

Your WiFi access code is: {{code}}. Valid for 10 minutes.

Walled Garden entries:

*.twilio.com

Clickatell Setup

1. Create account at Clickatell
2. Navigate to SMS > Create Integration
3. Select REST API
4. Copy your API Key
5. In IronWifi:
   • Select Clickatell as SMS provider
   • Enter API Key
   • Configure sender ID (if applicable)
6. Set message template and expiration

Walled Garden entries:

*.clickatell.com

Configuration options:

• Code length: 4-8 digits (default: 6)
• Code expiration: 1-30 minutes
• Retry limit: Maximum verification attempts
• Phone number format: International format recommended

Voucher Codes

Pre-generated access codes for controlled distribution.

Configuration:

• Enable voucher authentication
• Set voucher validation rules
• Configure input field appearance

See also: Vouchers

Username/Password

Traditional authentication against IronWifi user database.

Configuration:

• Enable username/password login
• Optional: Allow self-registration
• Optional: Enable password reset

SAML Single Sign-On

Enterprise authentication via SAML identity providers.

Supported IdPs:

• Azure AD (Entra ID)
• Okta
• Google Workspace
• OneLogin
• Any SAML 2.0 compliant IdP

SAML URLs (from Captive Portal settings):

• ACS URL (Assertion Consumer Service)
• Logout URL
• Entity ID

Azure AD (Entra ID) Setup

1. Go to Azure Portal > Azure Active Directory
2. Navigate to Enterprise Applications > New Application
3. Click Create your own application
4. Name it "IronWifi Captive Portal" and select non-gallery application
5. Go to Single sign-on > Select SAML
6. In Basic SAML Configuration:
   • Identifier (Entity ID): Copy from IronWifi Captive Portal settings
   • Reply URL (ACS URL): Copy from IronWifi Captive Portal settings
   • Sign on URL: Your splash page URL
7. In Attributes & Claims, configure:
   • emailaddress → user.mail
   • givenname → user.givenname
   • surname → user.surname
8. Download Federation Metadata XML
9. In IronWifi, upload the metadata XML or enter:
   • IdP SSO URL: Login URL from Azure
   • IdP Certificate: Download from Azure
   • IdP Entity ID: Azure AD Identifier

Walled Garden entries:

login.microsoftonline.com
*.microsoft.com
*.azure.com
*.msftauth.net
*.msauth.net
aadcdn.msftauth.net

Okta Setup

1. Go to Okta Admin Console
2. Navigate to Applications > Create App Integration
3. Select SAML 2.0 > Click Next
4. Configure General Settings:
   • App name: IronWifi Captive Portal
   • App logo: Optional
5. Configure SAML Settings:
   • Single sign-on URL: ACS URL from IronWifi
   • Audience URI (SP Entity ID): Entity ID from IronWifi
   • Name ID format: EmailAddress
   • Application username: Email
6. Add Attribute Statements:
   • email → user.email
   • firstName → user.firstName
   • lastName → user.lastName
7. Click Next > Finish
8. Go to Sign On tab > View SAML setup instructions
9. Copy Identity Provider SSO URL and Certificate to IronWifi

Walled Garden entries:

*.okta.com
*.oktacdn.com

Google Workspace Setup

1. Go to Google Admin Console
2. Navigate to Apps > Web and mobile apps
3. Click Add app > Add custom SAML app
4. Enter app name: "IronWifi Captive Portal"
5. Copy Google IdP information (SSO URL, Entity ID, Certificate)
6. Configure Service Provider details:
   • ACS URL: From IronWifi Captive Portal settings
   • Entity ID: From IronWifi Captive Portal settings
   • Name ID format: EMAIL
   • Name ID: Basic Information > Primary email
7. Add attribute mapping:
   • email → Primary email
   • firstName → First name
   • lastName → Last name
8. Click Finish
9. Enable the app for your organizational units
10. In IronWifi, enter Google IdP details

Walled Garden entries:

accounts.google.com
*.googleapis.com
*.gstatic.com

OneLogin Setup

1. Go to OneLogin Admin
2. Navigate to Applications > Add App
3. Search for "SAML Custom Connector" > Select it
4. Configure:
   • Display Name: IronWifi Captive Portal
   • Audience (EntityID): Entity ID from IronWifi
   • ACS URL: ACS URL from IronWifi
   • ACS URL Validator: Same as ACS URL (escaped)
5. Go to SSO tab, copy:
   • SAML 2.0 Endpoint
   • X.509 Certificate
6. Configure attribute mappings in Parameters tab
7. In IronWifi, enter OneLogin IdP details

Walled Garden entries:

*.onelogin.com

Payment Integration

Require payment for network access.

Supported Gateways:

• Stripe
• Braintree
• PayPal

Stripe Setup

1. Create account at Stripe
2. Go to Developers > API keys
3. Copy Publishable key and Secret key
4. In IronWifi Captive Portal settings:
   • Enable Payment provider
   • Select Stripe
   • Enter Publishable Key
   • Enter Secret Key
5. Configure webhook (optional but recommended):
   • In Stripe: Developers > Webhooks > Add endpoint
   • URL: https://splash.ironwifi.com/api/webhooks/stripe
   • Events: payment_intent.succeeded, payment_intent.payment_failed

Creating Access Plans:

1. In IronWifi, go to Access Plans
2. Click Add Plan
3. Configure:
   • Name: e.g., "1 Hour Access", "Day Pass"
   • Duration: Session length
   • Price: Amount in your currency
   • Bandwidth: Optional speed limits
   • Data cap: Optional data limit

Example plans:

Plan	Duration	Price	Bandwidth
Quick Access	1 hour	$2.99	Unlimited
Day Pass	24 hours	$9.99	Unlimited
Week Pass	7 days	$29.99	Unlimited
Premium	24 hours	$14.99	100 Mbps

Walled Garden entries:

*.stripe.com
js.stripe.com
api.stripe.com

Braintree Setup

1. Create account at Braintree
2. Go to Settings > API
3. Note your Merchant ID, Public Key, and Private Key
4. In IronWifi:
   • Enable Payment provider
   • Select Braintree
   • Enter credentials
   • Select environment (Sandbox for testing, Production for live)
5. Configure accepted payment methods:
   • Credit/Debit cards
   • PayPal
   • Apple Pay
   • Google Pay

Walled Garden entries:

*.braintreegateway.com
*.braintree-api.com
*.paypal.com
*.paypalobjects.com

PayPal Setup

1. Create business account at PayPal
2. Go to Developer Dashboard
3. Create an app under REST API apps
4. Copy Client ID and Secret
5. In IronWifi:
   • Enable Payment provider
   • Select PayPal
   • Enter Client ID and Secret
   • Select environment (Sandbox/Live)

Walled Garden entries:

*.paypal.com
*.paypalobjects.com

Payment Best Practices

1. Test in sandbox first - Use test credentials before going live
2. Clear pricing - Display all fees upfront
3. Provide receipts - Enable email confirmations
4. Handle failures gracefully - Show clear error messages
5. Offer multiple plans - Give users options
6. Consider refund policy - Document in terms of service

Provider Priority

When multiple providers are enabled, you can set the display order:

1. Drag providers to reorder
2. First provider appears most prominently
3. Consider user preferences for your venue

Combining Providers

Common Combinations

Hotel/Hospitality:

• Voucher (primary - included in room rate)
• Payment (for extended access)

Café/Restaurant:

• Email (simple, captures data)
• Social login (faster)

Enterprise Guest:

• SAML (employees)
• Email (visitors)

Events:

• Voucher (registered attendees)
• SMS (walk-ins)

Custom Authentication

For advanced needs, implement custom authentication:

REST API Provider

Authenticate against your own backend:

POST https://your-api.com/auth
{
  "username": "...",
  "password": "..."
}

Response: Return HTTP 200 for success, 401 for failure.

Walled Garden Requirements

Each provider may require specific domains in your Walled Garden:

Provider	Required Domains
Google	accounts.google.com, googleapis.com
Facebook	facebook.com, fbcdn.net
SMS	Your SMS provider's domains
Payment	Stripe.com, Braintree domains

See Walled Garden Guide for complete lists.

Best Practices

1. Minimize friction - Fewer steps = higher completion
2. Match your audience - Business events may prefer LinkedIn, cafés may prefer email
3. Always have a fallback - Offer at least two options
4. Test thoroughly - Verify all providers work on different devices
5. Consider privacy - Be transparent about data collection

Troubleshooting

OAuth Error: Redirect URI Mismatch

The redirect URI in your OAuth app doesn't match IronWifi's expected URI.

Solution: Verify the exact redirect URI from your IronWifi Captive Portal settings and update your OAuth app configuration.

Social Login Button Not Appearing

Causes:

• Provider not enabled
• Missing API credentials
• JavaScript errors

Solution: Check browser console for errors, verify credentials are entered correctly.

"Access Denied" After Social Login

Causes:

• OAuth app not approved/published
• Missing required scopes
• Account restrictions

Solution: Ensure your OAuth app is in production mode (not development/testing only).

Quick Reference

Walled Garden Cheat Sheet

Copy these entries based on your enabled providers:

# Always required
107.178.250.42/32

# Google Login
accounts.google.com
*.googleapis.com
*.gstatic.com

# Facebook Login
facebook.com
*.facebook.com
*.fbcdn.net
connect.facebook.net

# LinkedIn Login
linkedin.com
*.linkedin.com
*.licdn.com

# Twitter/X Login
twitter.com
*.twitter.com
*.twimg.com
x.com
*.x.com

# Apple Login
appleid.apple.com
*.apple.com
*.icloud.com

# Microsoft/Azure AD (SAML)
login.microsoftonline.com
*.microsoft.com
*.msftauth.net
*.msauth.net

# Okta (SAML)
*.okta.com
*.oktacdn.com

# Twilio (SMS)
*.twilio.com

# Stripe (Payment)
*.stripe.com
js.stripe.com

# Braintree (Payment)
*.braintreegateway.com
*.braintree-api.com

# PayPal
*.paypal.com
*.paypalobjects.com

Setup Checklist

Use this checklist when configuring a new authentication provider:

• Create OAuth app / API account on provider platform
• Copy credentials (Client ID, Secret, API Key)
• Enter credentials in IronWifi Captive Portal settings
• Add required domains to Walled Garden
• Configure redirect URI (if OAuth)
• Set to Production mode (not Sandbox/Development)
• Test on desktop browser
• Test on iOS device (in CNA and Safari)
• Test on Android device
• Verify user data is being collected

Related Topics

• Captive Portals Overview
• Portal Pages
• Walled Garden
• Vouchers
• Google Integration
• Twilio Integration
• Stripe Integration