Skip to main content
A walled garden is a list of URLs that guests can reach before they’ve signed in to the Captive Portal. Everything else is blocked until they complete a Sign In Module. The garden is narrow by design — just enough to let the sign-in flow work. Typical entries:
  • SAML IdP hostnames — so SAML SSO redirects can reach Entra, Google, Okta, etc.
  • Service Gateway or Meraki dashboard endpoints — when the portal needs to reach back into your network integration.
  • Content delivery networks — fonts, images, and scripts the portal depends on (usually added automatically).
  • Third-party services — an SMS gateway, an email verification service, or a payment processor if your sign-in flow needs it.
  • Emergency / public-service sites — some jurisdictions require pre-auth reachability to emergency services.

Why you need it

Without a walled garden, guests’ traffic is blocked entirely until they complete a Sign In Module. That’s fine for the happy path of Self-Provisioning by Email or simple Password sign-in. But as soon as a module needs to redirect the browser outside your infrastructure (SAML, external verification, rich portal content), the browser has to reach those destinations before the guest is authenticated. The walled garden is the narrow list of destinations that are intentionally reachable pre-auth.

Setting up the walled garden

Open Administration → Configuration → Common Settings → Service Gateway Walled Garden. Each entry is a domain or IP range guests can reach before they’ve signed in. The card has one-click buttons for common identity providers — Google, Entra (Azure), and Okta — that load the recommended set of IdP hostnames for you. For anything else, use the Add walled garden entry input. Keep the list minimal. Every entry is a pre-auth hole; review the list periodically and remove entries that are no longer needed.
The Walled Garden card configures pre-auth reachability for Service Gateway deployments. For Cisco Meraki deployments, the walled garden is configured in the Meraki dashboard alongside the Captive Portal settings.

Common patterns

For SAML sign-in — add the IdP’s login hostname(s). For Entra ID that’s typically login.microsoftonline.com and login.live.com. For Google Workspace, accounts.google.com. Check the IdP’s documentation for the full list. For guest convenience — some operators add common operating-system connectivity-check endpoints (captive.apple.com, connectivitycheck.gstatic.com, etc.) to suppress spurious “no internet” warnings until the guest completes sign-in. Be aware this increases pre-auth traffic. For compliance — some regulators require pre-auth reachability to emergency-services or public-information sites. Add what your jurisdiction requires.

Caveats

  • Not a substitute for network security. The walled garden controls what the Captive Portal blocks. It does not implement firewall rules on your underlying network.
  • No wildcards unless supported by the integration. What qualifies as a “match” depends on how your network integration evaluates the list. Test each entry after adding.
  • More entries = more pre-auth exposure. Minimalism is the right default.

SAML SSO

The module that most often requires walled-garden entries.

SAML IdP setup

Includes the walled-garden entries each IdP typically needs.