Anatomy of an Authentication Profile
SAML: Default Profile (required for SAML)
SAML: Building Additional Profiles (optional)
CAS: Default Profile (required for CAS)
CAS: Additional Profiles (optional)
This document provides information on building attribute profiles for the Cirrus Bridge. For the full configuration process, visit Getting Started with Cirrus Bridge. You will follow each of these steps for each new application that you add.
First What we refer to as an authentication profile has many names, but it is essentially a collection of required information for configuring an application in your identity provider.
For SAML, it includes:
For CAS, it includes:
When you set up the Cirrus Bridge for the first time, we typically set up a default profile that matches the recommendations for the REFEDS Research and Scholarship entity category. Here are the types of values you will need for that.
Entity ID
The entity ID will be provided by your Implementation Lead. The format will be something like https://<<domain>>/bridge, where the domain matches your domain. This is the default application that will get used to authenticate users to InCommon.
NameID Format and Value
The default NameID Format is transient, which means the NameID value is generated as a unique value for this transaction. Entra ID does not support transient NameIDs, so you will need to add a claim with a Cirrus rule with the following values to instruct the Bridge to send a transient NameID.
Name: cirrus.nameIdFormat
Value: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Research and Scholarship Attributes
To meet the REFEDS research and scholarship entity category requirements used by InCommon, you must configure the following attributes. We typically configure them on the default application so they are available to every application, but depending on your security requirements, they may be added to a specific R&S application.
| Attribute (friendlyName) | OID |
| Surname (sn) | urn:oid:2.5.4.4 |
| Given Name (givenName) | urn:oid:2.5.4.42 |
| Display Name (displayName) | urn:oid:2.16.840.1.113730.3.1.241 |
| Email address (mail) | urn:oid:0.9.2342.19200300.100.1.3 |
| eduPersonPrincipalName* | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 |
* Note: eduPersonPrincipalName should be statically assigned, invariant, persistent, not case sensitive, and scoped.
These suggested attributes identified above also satisfy the Research and Scholarship Entity Category requirements. To be fully compliant with R&S requirements, you will also need to signal that MFA is enforced.
R&S Attribute Value Mappings for Enterprise Bridges
Below are some common mappings for the Research and Scholarship Attributes for our Enterprise Bridges.
| Attribute (friendlyName) | OID | Entra ID Value | Okta Value | Duo SSO Value |
| Surname (sn) | urn:oid:2.5.4.4 | user.surname | user.lastName |
Last Name |
| Given Name (givenName) | urn:oid:2.5.4.42 | user.givenname | user.firstName | First Name |
| Display Name (displayName) | urn:oid:2.16.840.1.113730.3.1.241 | user.displayname | user.displayName | Display Name |
| Email address (mail) | urn:oid:0.9.2342.19200300.100.1.3 | user.mail | user.email | Email Address |
| eduPersonPrincipalName* | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | user.userprincipalname |
user.login | Username |
Signing/Encryption Settings
To start, we set Signing Settings to Sign Response and leave Encryption off. If you are migrating from an existing identity provider that has encryption on my default or if your security settings require encryption to be on, then note those requirements.
MFA Requirements
Many InCommon SPs require or prefer that MFA is enabled and that the REFEDS MFA authncontext is sent. Please note how you are doing MFA, and if it is enabled for everyone or not. Also note if you are using the built-in MFA with your primary identity provider, or if you are using another MFA solution.
Below is some information on how to build additional profiles. If you need them, your implementation lead will work with you to complete a service provider inventory and then build the additional profiles. This information will be used to add additional configurations.
With Enterprise Bridges, each additional profile is an additional application in your primary identity provider that you will configure. With the Standalone Bridge, additional profiles are rare, but when used the profile information is used by our team to configure the settings for the Bridge.
NameID Format and Value
First Record the NameID format (persistent, unspecified, emailaddress, etc.) for each application that requires one of these formats. Also record the value to be used for this attribute.
Application Specific Entity IDs
Here are some types of entity ids for additional profiles.
| Application |
Identifier URI/Entity ID |
Description |
| Research and Scholarship | http://refeds.org/category/research-and-scholarship |
Used if you want Research and Scholarship applications to have different attribute release from your default. |
| Entity Categories | The entity category for the SP(s) |
Use the entity category for the SP(s) and the Cirrus Bridge will automatically use that profile when it receives an authentication request from a SP with that entity category. |
| Specific SP |
The SP’s entityID |
Use the SP’s entityID and the Cirrus Bridge will automatically use that profile when it receives an authentication request from that SP. |
| Groups of SPs with common requirements (Entra ID only) |
The SP entityIDs |
Entra ID allows you to add multiple URIs/EntityIDs to a single Entra ID application. Cirrus will automatically use the application for all entityIDs added to it. |
Additional Attributes
If you are porting over existing applications, you will often find some that do not fit the defaults for Research and Scholarship. You may need additional attributes (with or without special names). For these, you may use the friendly name for the attribute instead of the urn:oid values.
If you are converting from an identity provider that automatically releases the friendly name and urn:oid values from the same configuration, you will need to release each one of these with 2 separate configurations: one with the urn:oid for the name and the second with the friendly name as the name.
For reference, you can look up the urn:oid values for common attributes in the reference page for REFEDS eduPerson.
Compile a full list of all attributes for an application or group of applications.
Additional Attribute Value Mappings for Enterprise Bridges
Here are some common mappings for additional attributes for our Enterprise Bridges.
| Attribute (friendlyName) | Name/OID | Entra ID Value | Okta Value | Duo SSO Value |
| Common Name (cn) | urn:oid:2.5.4.3 | user.displayname | user.displayName | Display Name |
| UID (uid) | urn:oid:0.9.2342.19200300.100.1.1 | user.userprincipalname | user.login | Username |
| eduPersonUniqueId | urn:oid:1.3.6.1.4.1.5923.1.1.1.13 | user.userprincipalname | user.login | Username |
| eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | A custom attribute | A custom attribute | A custom attribute |
| eduPersonEntitlement | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | A custom attribute | A custom attribute | A custom attribute |
| eduPersonAssurance | urn:oid:1.3.6.1.4.1.5923.1.1.1.11 | A custom attribute | A custom attribute | A custom attribute |
| eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | Provided by Cirrus | Provided by Cirrus | Provided by Cirrus |
For reference, you can find additional urns for common attributes in the reference page for REFEDS eduPerson.
Signing/Encryption Settings
To start, we set Signing Settings to Sign Response and leave Encryption off. If you are migrating from an existing identity provider that has encryption on my default or if your security settings require encryption to be on, then note those requirements.
MFA Requirements
Many InCommon SPs require or prefer that MFA is enabled and that the REFEDS MFA authncontext is sent. Please note how you are doing MFA, and if it is enabled for everyone or not. Also note if you are using the built-in MFA with your primary identity provider, or if you are using another MFA solution.
For the CAS default profile, you need to identify the matching attribute which will be added as an attribute with the name ‘cas:user’ and the value in your primary identity provider identified by you. Then collect all of the CAS service urls that use that attribute release.
For the default CAS Bridge, you will be provided with the entity id by your implementation lead and it will have the format of https://<<name>>/cas-bridge, where name is the domain name for your Bridge.
For the CAS default profile, you need to identify the matching attribute which will be added as an attribute with the name ‘cas:user’ and the value in your primary identity provider identified by you. Then collect all of the CAS service urls that use that attribute release.
Entity ids for these profiles represent a grouping of CAS SPs with alternate attribute requirements, and as such they are constructed. Pick an Entity ID of the form https://<<domain>>/cas-bridge/<<some-appid>> where <<some-appid>> should be a label meaningful to you (e.g., banner.)
Now that your attribute profiles are built, please return to the Configuration section of the Getting Started documentation to configure your Bridge.
Header
First