← Back to Sign In
Sign-in method · Username & password

The familiar pattern,
with Netgraph plumbing.

Provision named accounts, set per-account access policies, and audit who's connected when. The right tool for the cases SAML can't reach — long-term contractors, kiosks, branch sites without SSO.

Identity Named per account
Lifecycle End-date enforced
Self-service Password change · audit
Network accounts
12 active · 4 inactive · 1 expired
erika.lindberg@initech.com
Contractor · Project X
Ends 2026-09-30
7 sessions / 14 days
kiosk-lobby-04
Service · Lobby kiosk
No end
198 sessions / 14 days
tom.consulting@example.com
Contractor · Audit
Ends 2026-05-12
No login · 47 days
maintenance-acme
Service · Cleaning
Expired 2026-04-30
Auto-revoked
What's broken today

Account sprawl, no policy, no audit

Most organizations end up with a parallel directory of Wi-Fi accounts that nobody owns. Half are stale. None have policies. Cleanup is impossible because there's no data on who's still using what.

Manual provisioning per account

Create the account, hand-type the password, ship it via email. Repeat for every contractor.

No policies per identity

Everyone gets the same access window, the same VLAN, the same everything. No nuance.

Cleanup never happens

The contractor leaves; the account stays. Six months later it's still working from somewhere.

No audit trail

"Did this account log in last week?" is unanswerable. So nobody dares delete anything.

The sign-in flow

Three states, real lifecycle

01

Admin provisions the account

Username, initial password, end date, group. Self-service password change for the user.

02

User signs in

Familiar credentials on the captive portal. Per-account policy applies — VLAN, ACLs, redirects.

03

Auto-revoke on end date

Account auto-disables on the configured date. No drift between contract end and access end.

See everything that matters

Named accounts with real policies.

Each account has an owner, an end date, and a policy. Self-service password change so users don't ping IT for every reset. Inactivity tracking so cleanup becomes a list, not a project.

01

Sessions tied to identity

Every login attached to a named account. No anonymous shared credentials.

02

End-date enforcement

Account auto-disables on the configured date. No drift between contract end and access end.

03

Devices per account

Per-account device list. Spot account sharing (multiple unrelated devices), enforce quotas if needed.

04

Where they connect

Site, building, AP. Confirm the contractor only logs in at the sites they're contracted for.

05

Inactivity tracking

Filter accounts that haven't logged in for 30, 60, 90 days. Cleanup becomes a list, not a project.

06

Audit-ready exports

Per-period reports tied to named identities. Compliance gets the full story per user.

Where it fits

For the cases SAML can't reach

01

Long-term contractors

People who need access for months but aren't in your IdP — named accounts beat shared passwords.

02

Shared kiosks

Each device runs as a named account so usage is attributable and auditable.

03

Branch sites without SSO

Smaller sites that haven't joined the central IdP yet — credentials with policies bridge the gap.

04

Service accounts

Headless systems that need credentials. Named, scoped, audited like everything else.

Pair it with

Cover everything, every device type

Safe. Simple. Smooth. — see for yourself.

A short demo, anywhere from 30 minutes to an hour, depending on what you want to dig into. Bring your toughest requirements. We'll show you how Netgraph handles them.

Book a demoRead the docs