Attribute Authority and Flow Control API

Organizations frequently want to augment a SAML assertion, OIDC token or a CAS response with additional attributes. This article outlines the capabilities the API provided by the organization should have to enable integration with the Cirrus Bridge or Cirrus Authentication Proxy.

Basic Operation

The APIs have the following constraints:

The Attribute Authority supports the HTTP Basic-Auth header. It does not currently support the HTTP X-Api-Key header. Contact Cirrus Identity Support (see https://www.cirrusidentity.com/resources/service-desk) for other supported authentication methods.
All API calls originate from Cirrus Identity servers. The end user browser agent does not make any API calls.

Health Check Endpoint

Cirrus will query a health check endpoint using the same credential used for the POST request. This endpoint is used to confirm connectivity and authorization to the API. Cirrus will perform a GET and the response should be 200 and the JSON:

{"status":"UP"}

Any other response or status code will be considered an error.

The “/attributes” endpoint

The Cirrus Authentication Proxy or Cirrus Bridge will HTTP-POST a JSON collection request to and expect a JSON collection response from a customer developed /attributes endpoint.

/attributes Request

The general structure of the request consists of a series of context parameters and a block of “userAttributes”.

Context Parameters

The context of the Attribute Authority backchannel call will be characterized by parameters included in the request. The following parameters may be present in the Request JSON collection depending on the deployment:

Context Parameter	Definition	Applicable Deployment Patterns
"upstreamIdPEntityId"	The upstream (source) SAML IdP entityId that was used to login. For example: “https://source.example.edu/idp”	All deployments for Cirrus Proxy
"downstreamSpEntityId"	The downstream (target) SAML SP entityId that will receive the assertion. For example: “https://target.example.edu/sp”	All SAMLV2 deployments when Cirrus Proxy or Bridge is configured to perform a separate Attribute Authority API call for each login request from a target service provider
"cirrusIdPEntityId"	The SAML entityId of the Cirrus Bridge or proxy that is being used by the downstream (target) service provider (SP). For example "https://tenant.proxy.cirrusidentity.com/idp"	All SAMLV2 deployments for Cirrus Bridge or Proxy
“downstreamRelyingParty”	The downstream (target) OIDC RP that will receive the assertion. For example: _aaa111b22ccccc333d44f5aaa6666bb7777cc88dd9	All OIDC deployments when Cirrus Proxy configured to perform a separate Attribute Authority API call for each login request from a target RP
“cirrusOIDCIssuer”	The OIDC issuer string that is configured at the Cirrus Proxy. For example: https://example.proxy.cirrusidentity.com	All OIDC deployments for Cirrus Proxy

User Attributes

The userAttributes block of the request will contain a collection of the user attributes that were asserted by the upstream IdP. Each user attribute is reflected as:

A multi-valued array of string values
Will have JSON keys that match either the OID or human readable name for the attribute based on what was asserted by the upstream IdP

Example Request #1 - Cirrus Bridge

The following is an example request with the following AA use case:

A SAML V2 authentication transaction
A Cirrus Bridge integration

This use case will generate the following JSON request:

{

"upstreamIdPEntityId": "https://source.example.edu/idp",

"downstreamSpEntityId" : "https://target.example.edu/sp",

"cirrusIdPEntityId": "https://example.proxy.cirrusidentity.com/idp",

"userAttributes": {

"urn:oid:2.5.4.3": [

"firsty lasty"

"urn:oid:1.3.6.1.4.1.5923.1.1.1.6": [

"123456789@example.edu"

"urn:oid:1.3.6.1.4.1.5923.1.1.1.9": [

"member@example.edu"

"attributeWithoutOid": [

"value1",

"value2"

]

}

Example Request #2 - Cirrus Proxy (SAMLV2 per IdP source)

The following is an example request with context parameters for the following AA use case:

A SAML V2 authentication transaction
A Cirrus Authentication Proxy integration
A Cirrus Authentication Proxy configured to perform a separate Attribute Authority API call for each login response from each source Identity Provider

This use case will generate the following JSON request:

{

"upstreamIdPEntityId": "https://source.example.edu/idp",

"cirrusIdPEntityId": "https://example.proxy.cirrusidentity.com/idp",

"userAttributes": {

"urn:oid:2.5.4.3": [

"firsty lasty"

"urn:oid:1.3.6.1.4.1.5923.1.1.1.6": [

"123456789@example.edu"

"urn:oid:1.3.6.1.4.1.5923.1.1.1.9": [

"member@example.edu"

"attributeWithoutOid": [

"value1",

"value2"

]

}

Example Request #3 - Cirrus Proxy (SAMLV2 per SP target)

The following is an example request with context parameters for the following AA use case:

A SAML V2 authentication transaction
A Cirrus Authentication Proxy integration
A Cirrus Authentication Proxy configured to perform a separate Attribute Authority API call for each login request from a downstream service provider

This use case will generate the following JSON request:

{

"upstreamIdPEntityId": "https://source.example.edu/idp",

"downstreamSpEntityId" : "https://target.example.edu/sp",

"cirrusIdPEntityId": "https://example.proxy.cirrusidentity.com/idp",

"userAttributes": {

"urn:oid:2.5.4.3": [

"firsty lasty"

"urn:oid:1.3.6.1.4.1.5923.1.1.1.6": [

"123456789@example.edu"

"urn:oid:1.3.6.1.4.1.5923.1.1.1.9": [

"member@example.edu"

"attributeWithoutOid": [

"value1",

"value2"

]

}

Example Request #4 - Cirrus Proxy (OIDC)

The following is an example request with the following AA use case:

An OIDC authentication transaction
A Cirrus Authentication Proxy integration
A Cirrus Authentication Proxy configured to perform a separate Attribute Authority API call for each login request from a downstream relying party

This use case will generate the following JSON request:

{

"upstreamIdPEntityId": "https://source.example.edu/idp",

"downstreamRelyingParty" : "_aaa111b22ccccc333d44f5aaa6666bb7777cc88dd9",

"cirrusOIDCIssuer": "https://example.proxy.cirrusidentity.com",

"userAttributes": {

"urn:oid:2.5.4.3": [

"firsty lasty"

"urn:oid:1.3.6.1.4.1.5923.1.1.1.6": [

"123456789@example.edu"

"urn:oid:1.3.6.1.4.1.5923.1.1.1.9": [

"member@example.edu"

"attributeWithoutOid": [

"value1",

"value2"

]

}

/attributes Response

The customer developed API should respond with a JSON collection when receiving a HTTP POST request. The response should have the following possible keys:

(Required) “status” with values of either “continue” or “error”
(Optional) “attributeMode” with values of “replace”, “merge”, “overwrite”, or “preserve”. See section on “attributeMode” behavior for details.
(Required for “continue”) “userAttributes” should contain the attributes for the user. Values for an attribute should be an array of strings. A response without a “userAttributes” key (or set to a value of “null”) can be used to tell the Cirrus proxy to continue without altering the end user’s current attributes. A response with a “userAttributes” of an empty list will, if in replace mode, result in all of an end user’s attributes being removed.
(Required for “error”) “message” should contain a meaningful message to the end user and can contain markdown syntax to customize the presentation of the message to the end user. Organizations may use the “error” status to guide an end user to take a prerequisite action.

“attributeMode” Parameter Behavior

NOTE - For Cirrus Bridges integrated with either Entra ID or Okta APIs, this attribute is ignored and has no effect. The combination behavior is controlled through the configured application in Entra ID or Okta.

The JSON key “attributeMode” is optional in the response collection when Attribute Authority is used with Cirrus Proxy and in cases where the Cirrus Bridge is deployed using an assertion for integration instead of APIs. Unless specified, attributeMode is “replace” by default. The behavior for the “attributeMode” is outlined in the table below:

attributeMode value	Behavior
replace (default if not set)	All of the user’s existing attributes are removed and only attributes from the AA are used for the user.
merge	The user’s existing attributes are combined with those from the attribute authority. For example, if the user had the value “member” for eduPersonAffiliation attribute, and AA returns “staff” for eduPersonAffiliation, then assertion will be a multivalued attribute containing “member” and “staff”
overwrite	The attributes from the AA are added to the existing user attributes and any existing attribute with the same name as that from the AA is replaced.
preserve	Attributes added but any existing user attributes are preserved. e.g., if the attribute from the AA has the same name as a user’s existing attribute then it is not used.

Example Response #1 - Basic response

An example of a basic response that will “replace” the incoming assertion from the source IdP.

{

"status": "continue",

"userAttributes": {

"urn:oid:2.5.4.3": [

"Update Name"

"newAttribute": [

"abcd"

]

}

Example Response #2 - Response with attributeMode set

An example of using a “merge” attributeMode for the response to add the value of “staff@example.edu” to the eduPersonScopedAffiliation existing attribute:

{

"status": "continue",

"attributeMode": "merge",

"userAttributes": {

"urn:oid:1.3.6.1.4.1.5923.1.1.1.9": [

"staff@example.edu"

"newAttribute": [

"abcd"

]

}

Example Response #3 - Error message

An example of the attribute returning an error message that directs the end user to a URL for help.

{

"status": "error",

"message": "A user could not be found. You can **try again** or click [here](https://example.edu/help) for help."

}

View full post