Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Enable Client Onboarding with a BYOD PSK Portal

SUMMARY Set up a client onboarding workflow for a Bring Your Own Device (BYOD) Preshared Key (PSK) Portal. These portals allow users to self-provision PSKs.

When everything is set up, the “workflow” for the BYOD PSK Portal will look like this:

Mist PSK Portal Workflow

Before You Begin

  • Obtain and activate a Juniper Mist™ Access Assurance subscription. For information about subscription management, see the Juniper Mist Management Guide.
  • In your Juniper Mist organization, configure at least one organization-level WLAN with Multi-PSK enabled (either local or cloud PSK options are fine). For more information, see Multi-Preshared Keys.
  • In your IdP admin console, configure a SAML 2.0 app integration. Your PSK portal will integrate with this application to enable Single Sign-On (SSO) access to your portal users. You can use a wide variety of IdPs (such as Okta and Microsoft Azure), as long as they support SAML 2.0. For help setting up a SAML 2.0 app integration, see your IdP documentation.

    Copy the following information from your SAML 2.0 app integration, and save it so that you can use it to set up your PSK portal in Juniper Mist.

    • Signing Algorithm

    • Issuer ID


      Your IdP admin console might show a different name for the Issuer ID. For example:

      • In Okta, this value is called Identity Provider Issuer.

      • In Azure, it's called Azure AD Identifier.

    • SSO URL


      Your IdP admin console might show a different name for the SSO URL. For example:

      • In Okta, this value is called Identity Provider Single Sign-On URL.

      • In Azure, it's called Login URL.

    • Certificate—Copy the full text of the certificate, from the BEGIN CERTIFICATE line through the END CERTIFICATE line.

To set up client onboarding with a BYOD PSK Portal:

  1. From the left menu of the Juniper Mist portal, select Organization > Admin | Client Onboarding.
    Left Menu Navigation for Organization > Client Onboarding
  2. Click Add PSK Portal at the top-right corner of the Client Onboarding page.
    Add PSK Button on the Client Onboarding Page
  3. In the Add PSK Portal pop-up window, enter a Name, select BYOD (SSO) as the portal type, and then click Create.
    Add PSK Portal Pop-Up Window
  4. On the Portal Settings tab of the Edit PSK Portal window:
    • Keep the default layout options, or make changes to customize the sign-in screen.

    • Copy the PSK Portal URL so that you can provide it to your users.

    Options on the Portal Settings Tab
  5. On the Portal Authorization tab of the Edit PSK Portal window:
    • Enter the Issuer, Signing Algorithm, SSO URL, and Certificate that you copied from your app integration in your IdP admin console.

    • Select a Name ID Format. Most people use the e-mail address for the name ID. If you use a different identifier for your IdP user accounts, select Unspecified.

    Options on the Portal Authorization Tab
  6. Copy the Portal SSO URL.
  7. Open a separate browser window, and complete these steps to finalize your SAML 2.0 app integration:
    1. Navigate to your IdP admin console.
    2. Go to the settings for your SAML 2.0 app integration.
    3. Enter the copied value into the appropriate field to identify your Juniper Mist PSK portal to your IdP. For help, see your IdP documentation.
    4. Save the changes.

    Your IdP might have different names for the field where you need to paste the Portal SSO URL. Consider the following examples, and see your IdP documentation for help.

    Okta Example

    In this example, the Portal SSO URL from Juniper Mist is copied into the appropriate fields in the Okta Admin Console.

    Example: Portal SSO URL and Corresponding Fields in Okta Admin Console

    Microsoft Azure Example

    In this example, the Portal SSO URL from Juniper Mist is copied into the appropriate fields in the Azure Admin Console.

    Azure Example: Entering the Portal SSO URL into the SAML Configuration
  8. Return to the Juniper Mist portal.
  9. On the PSK Parameters tab of the Edit PSK Portal window:
    • Select the SSID (required).


      The list includes only SSIDs for organization-level WLANs that have Multi-PSK enabled.

    • Adjust the optional settings as needed. For example:

      • Set the Passphrase Settings to enforce your policies for password complexity.

      • Specify a VLAN ID if you want the users of this portal to be assigned to a particular VLAN. To use this option, you must enter a VLAN that is included in the VLAN list for the WLAN.

      • Adjust the PSK Validity options to set the expiration period and to send reminders before key expiration.

      • Under Max Usage, you can limit the number of devices that can connect to your portal.

      • Under Role, you can specify a role to limit access to certain types of user accounts (using the roles that you set up for your IdP user accounts).

    Options on the PSK Parameters Tab
  10. Click Save at the bottom of the Edit PSK Portal window.

    The button is unavailable until you enter the required settings on the various tabs. The required settings are labeled in red type.

  11. Verify that your portal works as expected by going to the PSK Portal URL that you copied from the Portal Settings tab of the Edit PSK window.
  12. Provide your users with the PSK Portal URL so that they can connect to your portal.

    Create a CNAME in your DNS to create a more user friendly URL that is associated with your domain.