Description of each authentication provider IronWiFi provides
Authentication Providers define how users are allowed to authenticate on a Splash page.
Users will be allowed to use any available authentication method, and the Report will contain information about the authentication provider.
Add a New Authentication Provider
When your first create a Captive Portal, you do not have any Authentication Providers defined. To add an Authentication Provider, click the “Add New” button at the top of the section. When you finish entering information, click the blue "Add Provider" button at the bottom of the Authentication Providers window.
IronWiFi currently supports 11 methods on how to authenticate users via a Splash page:
- Anonymous Access
- Social Login - OAuth 2.0
- SAML 2.0 - Single Sign-On
- Paid Access
- Voucher Code
- Guest Access
- Self Registration
- Local Account
- REST API
- Sponsored Access
- SMS One Time Password
Anonymous Access
This provider creates a simple Click to Connect button and does not require the user to enter any additional information. It can be used to accept the Terms of Usage.
INPUTS:
tos Accepted Terms of Service
TARGET METHOD and URL:
POST to https://splash.ironwifi.com/api/signin/anonymousreg
Social Login - OAuth 2.0
It allows the user to sign in with their Social Network account. Supported providers include:
- Google Apps
- Linked In
Client ID - IronWiFi by default, uses its own Social Login application when requesting access to the user's social profile. If you create your app with supported Social Login providers, you can enter here your application's Client ID number, and your users will approve access to your use, instead of IronWiFi.
Client Secret - password linked to the Client ID. You will get this from your OAuth 2.0 provider after you create a new Custom Application with them.
SAML 2.0 Single Sign-On
Allows using existing SAML Identity Provider (IdP) to sign in with existing credentials. SAML IdPs confirmed to work with our platform are Google Apps, Okta, Ping Identity, and Active Directory Federation Services
SSO URL - Single Sign-On URL provided by your SAML Identity Provider
IDP Entity ID - Entity identifier provided by your SAML Identity Provider
Certificate - public certificate in PEM format provided by SAML Identity Provider. We use this certificate to verify the SAML message signature.
TARGET METHOD and URL:
POST to https://splash.ironwifi.com/api/signin/saml2
Paid Access
Allows integration with external transaction processing to sell internet access. Available Paid plans are defined in the Hotspot Paid Plans section.
Transaction Processor - external credit card processor used to process payments from visitors. Currently supported is Stripe. Any collected payments will go directly to your Stripe account, and IronWiFi now does not charge any extra processing fees.
Secret Key - authorization token that was provided by your Transaction Processor.
INPUTS:
email [Required] Visitor's email address
card_number [Required] Credit card number
exp_year [Required] Credit card expiration year
exp_month [Required] Credit card expiration month
cvc [Required] Credit card security verification number
name [Optional] Cardholder name
address_line1 [Optional] Billing address line 1
address_line2 [Optional] Billing address line 2
address_city [Optional] Billing address city
address_state [Optional] Billing address state
address_zip [Optional] Billing ZIP code as a string (e.g., "94301")
address_country [Optional] Billing address country
plan_quantity [Required] Number of units of selected plan
selected_plan [Required] ID of the selected plan
TARGET METHOD and URL:
POST to https://splash.ironwifi.com/api/signin/hotspot
Voucher Code
It allows visitors to sign in with pre-generated voucher codes. These codes can be created manually on the Users page (voucher = user with the same username as password), or you can use our Voucher Generator to generate a set of voucher codes.
INPUTS:
voucher_code [Required] Contains voucher code for validation
email [Optional] Visitors email address
phone_number [Optional]
firstname [Optional]
lastname [Optional]
fullname [Optional]
opt_in [Optional] - Visitors want's to join the mailing list
TARGET METHOD and URL:
POST to https://splash.ironwifi.com/api/signin/voucher
Guest Self-Register
This method allows you to collect additional information from your Guests. Examples of collected data are full name, phone number, and email address.
INPUTS:
fullname - Contains guest's full name
firstname - Contains guest's first name
lastname - Contains guest's last name
phone - Contains guest's phone number
email - Contains guest's email address
zip - Contains guest's ZIP code
dob - Contains guest's Date of Birth
nationality - Contains guest's Nationality
sex - Contains guest's Sex - male of female
var1..var10 - custom variables collected via the registration form
TARGET METHOD and URL:
POST to https://splash.ironwifi.com/api/signin/guestselfregister
Self Registration
It allows the creation of permanent user accounts that can be used to sign on to the Splash page. Usually, customers use this method in combination with the "Local Account" authentication provider method.
INPUTS:
username [Required] Contains user's username
password [Required] Contains user's password in clear-text
fullname Contains user's full name
firstname Contains user's first name
lastname Contains user's last name
phone Contains user's phone number
email Contains user's email address
TARGET METHOD and URL:
POST to https://splash.ironwifi.com/api/signin/selfregister
Local Account
This method requires your users to sign in with an existing account.
INPUTS:
username [Required] Contains username for validation
password [Required] Contains password in clear-text for verification
TARGET METHOD and URL:
POST to https://splash.ironwifi.com/api/signin/localaccount
REST API
The external web server is used to verify the provided information. JSON data will be forwarded to the external API endpoint using the POST request method. This request will contain all information submitted by the user, and also parameters from the original request URL. Our communication is authorized using a secret Bearer authentication token.
Users will be authorized if a web server returns a correct response with an HTTP status code value between 200 and 299. If the status code is higher than 299, we decline the access request.
API endpoint - web server URL that should receive an authentication request
API token - bearer token, if defined, this authentication token will be included with all requests sent to the external web server
INPUTS:
We POST all input fields to the external web server. These may include username, password, voucher, email, etc.
TARGET METHOD and URL:
POST to https://splash.ironwifi.com/api/signin/rest
Response Status Codes:
2** – return status code indicates success, and the sample body provides user attributes, and access will be approved
HTTP/1.1 200 OK
{“valid_until”:”2017/01/10 01:59:59 +0000″,”valid_from”:”2017/01/09 02:03:52 +0000″,”nt_key”:”abcd12345″,”membership_id”:”`123456″,”membership”:{“name”:”John Sample”,”id”:”12345678″},”id”:”123456789abcdef”}
4** – return status code indicates failure and body provides an error message, and we reject the access request
HTTP/1.1 422 Unprocessable Entity
{“errors”:[“Email/login or password incorrect.”]}
Sponsored Access
The visitor will be required to provide the necessary information, and we will send an Access-Request email for approval. The visitor will be authorized after the approver clicks the link contained in the delivered request. This email can be White labeled to match your design.
Approver's email address - this is the email address where Access Request emails should be delivered. If not defined, a visitor can enter the email address of the visited person, and an email will be sent to this email address instead. For this to work, an input field with id "eaa_email" needs to be on the Splash page, and a user with the same username or email address has to exist in the IronWiFi account.
Request expiration - access requests can have an expiration time. You can define the expiration period in minutes, or leave it blank if this request should not expire.
INPUTS:
fullname visitor's full name
email - visitor's email address
firstname - visitor's first name
lastname - visitor's last name
phone - visitor's phone number
approver_email - Sponsor's email address, domain address, or leave empty. If you define an email address, we will send all requests to this email address. If you set a domain (e.g., @example.com), or multiple domains separated with commas, the guest will have to enter the email address that belongs to one of these domains (e.g., bill@example.com). If you leave this input field empty, the guest can enter any email address, but there has to be a valid user with the same email address defined in Console -> Users.
approver_email - SELF: If SELF is used to define the approver email, the guest will receive an email to the email address they entered. This email will contain a link to approve access. This method is useful if you want to verify email addresses.
TARGET METHOD and URL:
POST to https://splash.ironwifi.com/api/signin/employeeauth
SMS One Time Password
We will send a temporary access code to the visitor's phone number. This code will have the format defined in the Guest Manager username section.
SMS Gateway - select an external SMS gateway that should be used to send access codes to your visitors. Currently supported are Twilio and Clickatell
Auth Token - authentication token used to access the services of an SMS gateway provider. Your SMS gateway provider issues this token.
Sender's Phone Number - if supported and configured by your SMS gateway provider, outgoing text messages will appear to be coming from this phone number.
Country Code - you can let your users enter the country code in the input field, or you can select a value that we will add to all phone numbers.
SMS Body - defines the format of sent text messages. We will replace variable ${sms_code} with the generated access code.
Code expiration in minutes - for security reasons, access codes have an expiration time. The default value is 10 minutes.
Limit per phone number - within the "Code expiration in minutes" period, we will send maximum this number of text messages to a provided phone number.
Limit per client - within the "Code expiration in minutes" period, we will send maximum this number of text messages from the same connected client device.
INPUTS:
Step 1:
phone_number [Required] The user-friendly phone number that should receive the SMS code. If you don't specify a Country Code in Authentication Provider Settings, this number should include a country code.
prefix We will prepend this country code to the phone number.
Step 2:
sms_code [Required] Contains SMS code for validation
fullname - visitor's full name
firstname - visitor's first name
lastname - visitor's last name
TARGET METHOD and URL:
POST to https://splash.ironwifi.com/api/signin/smsreg