iOS Devices can't complete wireless SAML 2FA

Question

A company is using SAML Credentials and Azure as IdP for wireless authentication. The configuration works fine for devices other than Apple. On Apple devices, users open up settings > Wi-Fi and then select the SSID. Upon doing so, a captive portal comes up where the user inputs their credentials. In order to proceed, the user needs to input their one-time password from the Authenticator app. Since the user is in the captive portal at this time, they need to back out of it & open up the Authenticator app to get the code. Once they get the code and re-open their settings, the process starts all over again. Please see the following video.

Troubleshooting steps taken: exempt captive.apple.com to prevent the captive portal from opening up in settings so users have to open Safari in order to go through the authentication process. Although this resolves the initial issue of not being able to input their OTP, the users never get connected even after going through the entire process. I'm wondering why exempting captive.apple.com breaks it and how to fix it.

jiahoong112 · Answer

Please ensure captive portal wifi with saml authentication is configured following:

https://docs.fortinet.com/document/fortiap/7.6.5/fortiwifi-and-fortiap-configuration-guide/806280/captive-portal-authentication-using-saml-credentials

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Wireless-Authentication-using-SAML-Credentials-and/ta-p/223422

In addition to that, please extend the remoteauthtimeout from the default of 5 seconds to a higher value like 60 or 300 seconds.

# conf sys global

set remoteauthtimeout 300

end

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded