In a modern, zero-trust network environment, security starts with identity. Cloud NAC is designed to move your network away from generic, shared Wi-Fi passwords and toward identity-based access control.
To achieve this, Cloud NAC integrates directly with your organization’s Identity Provider (IdP). This article explains what an IdP is, the critical role it plays in network security, and how Cloud NAC leverages different integration protocols to automate your network management.
What is an Identity Provider (IdP)?
An Identity Provider (IdP) is the centralized platform your organization uses to manage the digital identities, credentials, and access permissions of your staff and employees. It serves as the single "source of truth" for who belongs to your organization and what they are allowed to access.
Common examples of modern, cloud-based IdPs include:
Microsoft Entra ID (formerly Azure AD)
Google Workspace
Okta
Auth0
Shibboleth
By transitioning to cloud-based IdPs, organizations can use standard web protocols to securely authenticate users across external applications—including the Cloud4Wi BYOD portal and Captive Portals.
The Dual Role of an IdP in Cloud NAC
Integrating your IdP with Cloud NAC does much more than just check user passwords. It handles two vital functions: Authentication and Directory Synchronization.
1. Secure User Authentication
When a user attempts to onboard a device, Cloud NAC hands off the login process entirely to your IdP.
Users log in using their familiar corporate credentials, passkeys, or multi-factor authentication (MFA).
Security Benefit: Cloud4Wi never sees, stores, or handles your users' actual passwords. The entire authentication process happens securely on your IdP's infrastructure.
2. Automated Directory Synchronization & Lifecycle Management
An IdP isn't static; it constantly updates as your organization changes. Cloud NAC connects to your IdP's APIs to detect these changes in real time and automatically adjust network access accordingly.
Automated Offboarding: The moment an employee leaves the company and is disabled in your IdP, Cloud NAC instantly revokes their network access. No manual IT cleanup is required to ensure old devices are blocked.
Dynamic Policy Evolution: If an employee moves from the Marketing department to the Finance department, Cloud NAC detects the group change and dynamically updates their network policy (such as routing them to a more secure Finance VLAN) the next time they connect.
Understanding the Protocols: SAML vs. SCIM
To bridge your IdP and Cloud NAC, standard enterprise protocols are used. It is important to understand what these protocols cover:
SAML (Security Assertion Markup Language)
SAML is the gold standard for enterprise authentication. It allows a user to log into one system (the IdP) and be automatically granted access to another (Cloud4Wi) without re-entering credentials.
The Catch: SAML only handles authentication. It does not provide a way for Cloud NAC to actively scan your directory for changes, meaning it cannot automatically detect when a user is disabled or shifts departments after their initial login.
SCIM (System for Cross-domain Identity Management)
SCIM is an open standard designed specifically to automate the exchange of user identity information between identity domains. It allows your IdP to actively "push" user updates, group creations, and deletions to external apps.
Our Roadmap: While Cloud4Wi natively supports SAML-based authentication across almost all major providers, we are actively committed to releasing full SCIM support in upcoming releases to deliver seamless, automated policy management across all standard IdPs.
Streamlined Integration: The Microsoft Entra ID Advantage
For organizations utilizing Microsoft Entra ID, Cloud4Wi has developed a dedicated, native integration component that bypasses the need for multi-protocol setups by leveraging the Microsoft Graph API
Instead of requiring administrators to configure two separate systems (one for SAML authentication and one for SCIM directory syncing), the Graph API integration combines both functions into a single step. Check this article for ste-by-step Entra ID configuration.
Key Advantages for Admins:
Single App Configuration: Administrators only need to create and authorize a single enterprise application within the Microsoft Entra ID platform.
Dynamic Group Filtering: When you create Trusted Access Rules inside the Cloud4Wi dashboard to assign specific network Group Policies, the dashboard automatically communicates with the Graph API.
Live Dropdown Menus: You will see a live, dynamic dropdown list of your actual Microsoft Entra ID groups right inside the Cloud4Wi interface. This allows you to effortlessly select a subsection of your users (e.g., "Engineering") and instantly map them to their dedicated network configuration.