The External Captive Portal (ECP) is, essentially, a web server that runs an application allowing clients to change their authentication state, by providing credentials, credit card details, demographic information about themselves or acknowledging terms and conditions. The application can be written in any language the ECP provider chooses. The ExtremeCloud IQ Controller web applications are implemented in PHP, but they will interact with any programming language or library on the ECP or client that can generate valid HTTP.
If the ECP expects the controller to sign redirection responses, it is critical that the real time clocks on ExtremeCloud IQ Controller and the ECP are synchronized. Signed redirection responses include timestamps to protect against replay attacks. Trust the redirection responses only for a limited period of time.
The easiest way to do this is to configure both ExtremeCloud IQ Controller and the ECP to use Network Time Protocol (NTP) to manage the clock. The time zone needs to be set correctly, both on the ECP and on the appliance. On ExtremeCloud IQ Controller, go to Administration > System > Network Time to configure NTP.
The timestamps in signed redirection responses are in UTC (Coordinated Universal Time). There is no need for ExtremeCloud IQ Controller to know the ECP‘s time zone and no need for the ECP to know the appliance‘s time zone.
The signing algorithm is a slight variation on Amazon Web Service‘s (AWS) algorithm for signing requests using query string parameters. At this time AWS makes an SDK available that includes implementations of the signing algorithms in several different languages (notably Java and PHP). It may be helpful to obtain and use this SDK rather than re-implement the signing algorithm from scratch.