← Back to Sign In
Sign-in method · BYOD with SAML SSO

The identity
you already trust.

Employees onboard their personal devices with the same identity they already use to log into Microsoft, Google, or Okta. No passwords on the captive portal. No help-desk tickets. Onboard once, manage forever.

Identity Microsoft · Google · Okta · any SAML
Policies Group-based, time-bound
On offboard Auto-deauth via IdP
Captive portal · Sign in with
or any SAML 2.0 provider

The familiar login. Already MFA-protected. Already known to HR. The same source of truth for who works here.

What's broken today

Account sprawl is a quiet disaster

Provisioning Wi-Fi credentials by hand was painful at 50 employees. At 500, it's a quarterly cleanup project. At 5,000, half the accounts shouldn't be active anymore — but you can't tell which ones.

Manual account provisioning

New hire shows up. IT creates a Wi-Fi account by hand. Day-one productivity bleeds away.

Leavers never get removed

HR offboards. The Wi-Fi account stays. Six months later it's still working from a cafe.

Password sprawl

One more password to remember, one more to write down, one more to phish. Captive portals make it worse.

BYOD is everyone's problem

Personal phones, contractor laptops, hot-desking — every device lifecycle hits the captive portal differently.

The sign-in flow

Three taps to passwordless network access

01

Click "Sign in with…"

One button on the captive portal — Microsoft, Google, Okta, anything SAML.

02

Authenticate with your IdP

The familiar login (already MFA-protected), running on your existing identity infrastructure.

03

Network access on policy

Returned to the captive portal with a verified identity. Policy applies based on group membership.

See everything that matters

Every session, tied back to a person.

BYOD with SAML moves the access decision out of the captive portal and into the systems your organization already uses to decide who works there.

01

Sessions tied to identity

Every device, every session, attributed to the user's IdP identity. No anonymous BYOD.

02

Group-based access windows

Set hours per group, auto-expire per role. Contractors get the right window without a ticket.

03

Devices per employee

Phone, laptop, tablet — operating system, fingerprint, last seen. Quota enforcement built in.

04

Where they work from

Site, building, AP. Useful for hot-desking estates and distributed offices.

05

Auto-deauth on offboarding

HR flips the IdP switch. Wi-Fi access goes with it. No drift between systems.

06

Audit-ready, identity-aware

Every export ties sessions to people, not anonymous MAC addresses. Compliance gets the full story.

Where it fits

Built for organizations with an IdP

01

Corporate BYOD

Every employee has an IdP identity. Use it for the network too.

02

Universities & schools

Student SSO covers students, staff SSO covers staff — same captive portal, different policies.

03

Distributed contractors

Time-bound access, scoped to the role. Auto-revoke when the engagement ends.

04

Regulated industries

Healthcare, finance, government — identity-bound network access for audit and least-privilege.

Pair it with

For the cases SSO can't reach

Safe. Simple. Smooth. — see for yourself.

A short demo, anywhere from 30 minutes to an hour, depending on what you want to dig into. Bring your toughest requirements. We'll show you how Netgraph handles them.

Book a demoRead the docs