Contact Us
Norway / English
Search

How to Configure SAML SSO on Omada Controller

Knowledgebase
Configuration Guide
BookmarksCopy Link
04-09-2025
592

Contents

Objective

Requirements

Introduction

Configuration

Verification

Conclusion

FAQ

Objective

This article is going to introduce how to configure Microsoft Entra/Azure management platform and the SAML SSO settings in Controller to achieve redirection from Microsoft Enterprise Application to Omada Controller.

Requirements

  • Omada Controller (Software Controller / Hardware Controller / Cloud-Based Controller)
  • Microsoft Entra/Microsoft Azure

Introduction

SAML SSO is an XML-based open standard for exchanging authentication and authorization data between parties, specifically between an identity provider (IdP) and a service provider (SP). It enables users to log in once and access multiple systems without needing to log in again at each one.

This article explains how to configure SAML SSO, using Microsoft Entra and the Omada Cloud-Based Controller v5.15.16 as an example.

Configuration

Our Configuration includes IDP Configuration,

Step 1. Go to Microsoft Entra Admin Center: Default Category - Microsoft Entra admin center. Click Applications, then choose Enterprise Applications.

Log into the Microsoft Entra Admin Center.

Click New application to browse Microsoft Entra Gallery.

Click All application's first unit to access the New application.

Click Create your application. Enter the name of your application and click Create.

Click Create your application to create an application about this.

Choose 2. Set up a single sign-on.

Click Choose the send part of this unit to set up single sign-on.

Step 2. Click unit SAML to start configuring the SAML Certificate.

Choose the second part of this unit to set up single sign-on.

In Basic SAML Configuration, choose Edit to configure the configuration.

Click the first part to edit the Basic SAML Configuration, including Entity ID and the Reply URL, which are the most essential parts.

Here we take a Cloud-Based Controller as an example:

Change the Entity ID and the Reply URL as essential parts.

  • Identifier (Entity ID): Here, we input the Omada Cloud’s domain into this text bar: https://omada.tplinkcloud.com/.For Software Controller& Hardware Controller, you can set the Entity ID as the “IP Address + port” of your Controller. For example, https://192.168.10.11:8043.
  • Reply URL (Assertion Consumer Service URL): Here, we input the SSO login domain into this text bar: https://aps1-omada-account.tplinkcloud.com/sso/saml/login/ For Software Controller& Hardware Controller, you can set the Entity ID as the “IP Address + port + /sso/saml/login.”For example https://192.168.10.11:8043/sso/saml/login
    .

Go to SAML Certificate, then click Federation Metadata XML > Download to download the IdP metadata file.

Click the last line of the third part to edit and download the Federation Metadata XML.

Step 3. Go to the Controller to configure the SP system. Go to Global View > Settings > SAML SSO, then click Add New SAML Connection.

Go to SAML SSO settings and create a new SSO configuration.

In the Add New SAML Connection window, input the Identity Provider Name, upload the Metadata.xml file you just downloaded into this window, and click Send.

Upload the XML file downloaded to auto-configure SAML SSO.

Go back to the SAML SSO Manager Page and check the Details of the entry we just configured.

Record the information in this window, especially the Resource ID and the Omada ID.

After configuration, click the view button to check the attributes of this SSO settings.

Click Go To SAML Roles.

Go to the SAML Roles configuration page and create a SAML role.

Click Add New SAML Role to start a new SAML role.

Start to create a new SAML Role.

Set the SAML Role Name and the role’s privilege, then click Create. The name will set the SAML role on Azure/Entra.

Set SAML Role name and privilege.

Step 5. On Entra's homepage, click App registrations. Click the IdP you created.

Go back to the Microsoft Entra application to continue configuration.

In Basic SAML Configuration, choose Edit to configure the configuration.

Click the first part to edit the Basic SAML Configuration, including Entity ID / Reply URL and the Relay State, which are the essential parts.

Edit the Entity ID, Reply URL, and the Relay State.

  • Identifier (Entity ID): Input the Entity ID we obtained from the Controller’s SSO Detail.

Entity from Controller’s SAML Attributes.

  • Reply URL (Assertion Consumer Service URL): Input the Sign-On URL we obtained from the Controller’s SAML Attributes.

Sign-On URL from Controller’s SAML Attributes.

  • Sign On URL(Optional): This text bar should be blank. Please don’t confuse this with the Sign-On URL we obtained from the Controller’s SSO Detail.
  • For Relay State, you must decode the script “resourceId_omadaId” using Base64. You can use any open-source Base64 encryption tool to encrypt this script.

Omada ID and Resource ID from Controller’s SAML Attributes.

Encode the original script of Reply State with Base 64.

Click App roles and create roles.

Go to App registrations to register App roles and assign them to your created application.

The Display name and Value here must correspond to the SAML SSO Role Name in the Controller.

Create a new app role and input the display name/member types and value.

Step 6. On Entra's homepage, click Enterprise Applications. Click your application, then click Users and Groups. Choose an account and assign a role you created

Edit the assignment of an existing account.

Choose to assign one role to the selected user.

Assign Roles to the selected user.

Here, we take the Role “SSOtest” we created as an example and assign it to our selected user.

Assign the Role you just created to this existing account.

Step 7. On Entra's homepage, click Enterprise Applications. Click your application, then click Set up single sign-on.

Go back to the application's SSO settings.

Click the Edit in Part 2—attributes & Claims to edit the attributes.

Go to the second part of these SSO settings and edit the Attributes & Claims.

Click Add new claim.

Click Add new claim to add two new claims/attributes username and usergroup_name.

Add the username and usergroup_name parameters. Set Name as the username and the Source attribute as the user's display name.

Add the Attribute username; parameters should be inputted as the sample.

Add the username and usergroup_name parameters—Set Name as usergroup_name and Source attribute as user—assigned roles.

Add the attribute userggroup_name, and parameters should be inputted as the sample.

Download Federal Metadata XML

Go back to the SSO configuration homepage and download the Federation Metadate XML.

Step 9. Go back to the SAML SSO unit of your Cloud-Based Controller. Edit the SSO configuration, upload the Metadata.xml file you downloaded to this window, and click Send.

Upload the XML file downloaded to auto-configure SAML SSO.

Verification

Method 1: Go to Part No.5 of your SAML-based Sign-on settings and click the Test button to test this SAML SSO.

Click Test to try the SAML SSO.

Click Test sign-in to test whether this can redirect you to Omada Controller.

Click Test sign-in to test the redirection to Omada Controller.

The browser will redirect you to Microsoft Login, which asks you to choose a Microsoft ID to log in. Here, we choose the user we assigned roles to in Step 6.

Choose the corresponding Microsoft ID to log in.

If the login is successful, you will return to the test page, and the test result will be shown under the Test sign-in button.

Test results will be shown under the Test sign-in button.

Method 2: Go to https://myapplications.microsoft.com. After logging in with your Microsoft ID, click the Application you just configured to log in to Omada Controller.

Click the Application SSOTest to log in to the Controller directly.

The browser will redirect you to Microsoft Login, which asks you to choose a Microsoft ID to log in. Here, we choose the user we assigned roles to in Step 6.

Choose the corresponding Microsoft ID to log in.

After logging in, you will be redirected to your Omada Controller.

Conclusion

You have successfully configured the SAML SSO of Omada Controller with Microsoft Entra/Azure ID.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

FAQ

1. What should I do if the browser reports a While Label Error Page? After checking the dev tools windows, there’s also the error code “405 Method Not Allowed.”

Redirection with SAML SSO failed; the error code shows “405 Method Not Allowed”.

Re: From the dev tools, we can see that the Allow method for Response Headers is POST, but generally, the Request Method is GET. The technique is not matched.

Go back to your application's Basic SAML Configuration, choose Edit to configure the configuration, double-check the Identifier, Reply URL, and Relay State, and remember to clean the sign-on URL(Opential). Keep this blank.

Return to your Basic SAML Configuration and double-check your input parameters; the Sign URL(Optional) must be blank.

2. What should I do if I meet the error code {"errorCode":-1001, "msg": "Invalid request parameters."} ?

Re: Go back to Part 2 Attributes & Claims to check whether you have set the username and usergroup_name and whether the value is correct.

Return to the Attributes & Claims and check whether the username, usergroup_name, was added and the value is correct.

3. What should I do if I meet the error code {"errorCode":-1, "msg": "Something went wrong. Please try again later or contact our technical support."} ?

Re: Go back to SAML Certificates; if you have more than one certificate, please delete the manually added ones.

Clear the other certificates and keep only the default one.

Please Rate this Document

Related Documents

How to Configure Portal Authentication on Omada Controller

04-14-2023
3381

How to configure Lock to AP on Omada Controller

Controller
06-27-2024
3719

How to configure Portal Authentication on Omada Controller

Portal
10-24-2024
3713

How to configure MVR on Omada Switches via Omada Controller

09-04-2024
2738

How to configure MAC-Based Authentication on Omada Controller

Authentication
ACL
11-08-2024
6084

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

Basic Cookies

These cookies are necessary for the website to function and cannot be deactivated in your systems.

TP-Link

SESSION, JSESSIONID, accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType

Youtube

id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ

Zendesk

OptanonConsent, __cf_bm, __cfruid, _cfuvid, _help_center_session, _pendo___sg__.<container-id>, _pendo_meta.<container-id>, _pendo_visitorId.<container-id>, _zendesk_authenticated, _zendesk_cookie, _zendesk_session, _zendesk_shared_session, ajs_anonymous_id, cf_clearance

Analysis and Marketing Cookies

Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.

The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.

Google Analytics & Google Tag Manager

_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>

Google Ads & DoubleClick

test_cookie, _gcl_au