@Vincent-TP When Trying to configure this with authentik, I receive an error saying invalid parametrs when I load the data from a url or file. If I enter the data manually I get an error saying invalid format on the Entity ID. What format does the entity ID need? Also do you know when docs will be available for this?

  @Vincent-TP 

Sorry Vincent, I would need guidance on both ends - the Controller and the Microsoft end.

By the look of it I would create a "custom app" under IntraID Enterprise Applications ?

I basically want to be able to use our Microsoft AD/Entra usernames and passwords to log into the omada controller (running on Windows Server on our domain).

Thanks, 

Andy 

This is now in Stable release as well 5.15.20.19.  I still can't find any official documentation on how to configure with the major IdPs (Entra, Google, Okta)...

I am very familiar with setting up SAML apps within our Entra tenant but so many questions regarding your implementation.

Specifically for on-prem hosted controllers:

How does enabling SAML interoperate if you have enabled cloud access and have cloud enabled users?

Does SAML redirect through your cloud services to reach our on-prem box?

Or is this local only and cloud users can still login separately with their TPLink IDs?

If thats the case then we will need to configure some kind of reverse proxy to make on-prem controller reachable from Entra ID correct?

Once enabled are local users still able to login alongside SAML users? Cloud users? 

If not, is there a fallback URL for local users if SAML is ever misconfigured/expired?

Thanks,

  @Vincent-TP 

Hi Vincent,

Thanks for the documentation.

I have SAML via Entra ID now configured as per the instructions and technically it works and we can login, however we have one issue. After signing in with your M365 credentials it redirects you to our controllers IP address URL instead of our properly configured hostname which of course in browser you receive a connection not private screen.

Our Omada controller is on-premise and when you create a new SAML configuration within, it automatically assigns its Entity ID and Sign-On URL as IP address and does not seem to be editable.

We have a proper public SSL certificate on our controller and it is reachable via https://omada.mycompany.com.  I have the Entra ID Identifer and Reply URL defined as our  https://omada.mycompany.com hostname as well.  Just need to know how to change it on the Omada side so we can retain SSL and security all the way through.

  @Vincent-TP 

Thanks Vincent.  That would be something nice to see in a future release, the ability to have SAML set as the default and only authentication method for the portal.  Then have a unique fallback URL that would still allow local login for if SAML is broken and you need to login to disable it.

It is quite awkward for our admins to not be able to go directly to omada.mycompany.com and be able to login.