Overview
This article provides the steps to enable guest authentication with Facebook and Google+.
Table of Contents
Introduction
Social media guest authentication can be enabled to allow clients to log in to a guest network using their Facebook or Google+ credentials. Start by creating a facebook app, google+ API login, or both.
Facebook App Setup
1. Register a Facebook App
Use the guide HERE to register a Facebook authentication app, keeping this help article open for reference.
Step 3 prompts you to choose a display name for your application. Choose a name that will represent your WiFi portal. Users will see this when authenticating. For this example, I’ll use the name "CMurphy Hotspot Login," and keep the default email, which is the email linked to my Facebook account. For Category, I’ll use Communication. Category isn’t critical here, so feel free to use a different category if it better represents your business.
You will be prompted to either enter a quick-start guide, or go back. If you click go back, you can get to the dashboard by clicking My Apps in the top right corner. Select Choose Platform > Website to begin the quick start quide.
2. Complete Facebook Website Quick Start.
Choose Website.
Under Tell us about your website, enter the domain name of your controller as the Site URL. Next, click Skip to Developer Dashboard.
3. App Settings
Navigate to Settings in the sidebar to open up the basic app settings.
App ID and App Secret will be automatically assigned to your app. Choose a Display Name and Namespace for your app - these can be anything, but users will see them when authenticating.
Under both App Domains and Site URL, enter the domain or subdomain of your controller.
You must add URLs for privacy policy and terms of service. These are required for proper function.
You can add Privacy Policy/Terms of Service to guest portal through Settings > Guest Control > Enable Terms of Service, then can use the url of your controller, for example: https://controller:8843/guest/s/<site-id>/#/tos
Replace controller with publicly accessible controller URL, and if using non-default site, replace site id with the site's unique 8-digit identifier, i.e. ryx7y4tf in the following example:
Be sure to save your changes.
4. Add Product
Next, click Add Product, then Facebook Login to create the login page.
5. Add Controller Redirect URI and Port
Under Facebook Login settings, include the following URL under "Valid OAuth redirect URIs". Use the toggle options in the below image.
https://domain.com:8843/guest/s/<siteid>/oauth.html?by=facebook
Or if using http (which may not be permitted by current Facebook settings):
http://domain.com:8880/guest/s/<siteid>/oauth.html?by=facebook
Replace domain.com with your publicly accessible controller URL, and site <siteid> with the 8-digit site identifier from your UniFi Controller URL, for example:
In this example, the siteid is "ryx7y4tf" and would need to be included in the URL added to the "Valid OAuth redirect URIs" in Facebook App settings:
https://unifi.exampleurl.com:8443/guest/s/ryx7y4tf/oauth.html?by=facebook
Save changes before continuing.
6. Publish App
Finally, publish the app to live, by changing the "Off" dialog button at the top of the Facebook for developers page to on.
If you are setting up Google authentication as well, continue reading. Otherwise, skip to Controller Setup.
Google+ API Setup
1. Enable Google Login
Use the Enable the Google+ API Guide HERE to enable Google login.
When prompted to enter the app origin, use the subdomain, followed by port 8880 (and/or 8843). Note the Client ID and Client Secret, which will be used later in the Controller Setup.
You will need to add your customized version of the following URL to Google API Credentials Settings:
If using Secure Portal (https):
https://<controller-url>:8843/guest/s/<site-id>/oauth.html?by=google
Or if you do not have Secure Portal enabled (http):
http://<controller-url>:8880/guest/s/<site-id>/oauth.html?by=google
Replace <controller-url> with your publicly accessible controller URL, and site <siteid> with either default if using the default site, or the 8-digit site identifier from your UniFi Controller URL, as in the following example:
In this example, the siteid is "ryx7y4tf" and would need to be included in the URL added to Google API settings.
2. Add Redirect URIs
The following would need to be added to Authorized redirect URIs in Google API settings:
https://unifi.exampleurl.com:8443/guest/s/ryx7y4tf/oauth.html?by=google.
If client device gets a redirect error after setup, add the redirect URI below under "Authorized redirect URIs" in the above step:
3. Enable People API for your project.
Follow Google's instructions on how to enable People API.
UniFi Controller Setup
1. Activate Guest Policies
Once you have configured your Facebook or Google app, open your publicly hosted controller. Begin by activating Guest Policies by navigating to Settings > Wireless Networks and making sure the Guest Policy box is checked to enable.
2. Configure the Guest Portal
2.1 Next, open Setting > Guest Control to configure the guest portal. To view these options, the "Enable Guest Portal" box must be checked.
2.2 Select Hotspot authentication.
2.3 If you wish, enter a Promotional URL to forward clients to your website after they are authenticated. Or leave it in Redirect to the original URL to allow user to continue to the website they were trying to get to.
2.4. Select Redirect using hostname, and enter the URL of your subdomain in the field provided.
2.5. Check Enable encrypted redirect URL.
2.6 Under Settings > Guest Control > Access Control, allow Google Sites for pre-authorization access by adding the IP number 172.217.20.0/19.
3. Activate Third Party Authentication Method
Under the Settings > Guest Control > Hotspot section, select the third party authentication methods that you wish to activate (Facebook and Google). Enter the ID and Secret for the selected app(s) as configured in those platforms.
4. Add Facebook and Google's Public IPs
Under Access Control, add the following public IPs that Facebook uses to the Pre-Authorization Access list:
31.13.24.0/21 31.13.64.0/18 45.64.40.0/22 66.220.144.0/20 69.63.176.0/20 69.171.224.0/19 74.119.76.0/22 |
103.4.96.0/22 129.134.0.0/16 157.240.0.0/16 173.252.64.0/18 179.60.192.0/22 185.60.216.0/22 204.15.20.0/22 |
If you haven't yet, add the following public IP that Google uses to the Pre-Authorization Access list:
172.217.0.0/16 |
5. Test the Guest Network
Finally, use a device to connect to the guest network and verify that the guest portal works properly.