Overview
In order to provision conditional access bridges, we need to first configure the read-only API access and connect the tenant to the Cirrus Bridge. Customers are not required to enable read-only API access to use the Cirrus Bridge, but it is required to utilize the conditional access features. For more information on why this step is needed, please read the blog post Why Does a Cirrus Bridge Need Read Only API Access?
Please find the section below for your identity provider and follow the steps.
Microsoft Entra ID
You must be a Global Administrator in Entra ID to grant the API access. Please grant the read only API access and provide your Entra ID tenant ID to your Technical Implementation Lead.
You grant Cirrus read-only access to your configured Entra ID applications by having an Azure admin visit this URL. $TENANT_ID should be replaced with your tenant ID.
Once the previous steps are completed, notify your Cirrus Technical Implementation Lead that the API access has been granted and provide your Entra ID tenant ID.
Okta
You must be an Okta Admin with access to the Okta Administrator interface. Please grant the read only API access and send the information listed in Step 4 to your Technical Implementation Lead.
The Okta apps you want Cirrus to use must be assigned to a group. The Okta API will only engage with the Okta apps assigned to the group, filtering out the applications you don’t want to use with Cirrus.
Add the group with the proposed suggested name.
Record the group’s uniqueId, which can be found in the URL. For example, the uniqueid associated with the group https://dev-933302-admin.oktapreview.com/admin/group/00gz4dm9srbl1TuYu0h7 would be “00gz4dm9srbl1TuYu0h7”. You will send this Group ID to Cirrus in Step 3.
Okta assigns API credentials to a specific user, so you will first create a service account for the Cirrus Bridge that will access the read-only API.
In the Okta Admin interface, create a user that will be a service account. The suggested name is “Cirrus Service”. First, select the Add Person button to add the account.
Then add the information for the account and Save.
Assign the service account the “Read Only Administrator” role.
Next you will create a set of credentials for the read-only API. As the service account user, log in and create an API token under Security->API->Tokens.
Once the previous steps are completed, notify your Cirrus Technical Implementation Lead that the API access has been granted and securely provide the following information:
Do not use email to communicate the token. The Okta Admin domain will be the domain contained in the URL when you created the token (for example, dev-933302-admin.oktapreview.com). There are several options to transfer the token to Cirrus securely - the option chosen will depend on the organization’s security practices.
Duo SSO
You must have the Owner role in Duo SSO to grant the API access. Please create the Admin API application and send the information listed in Step 3 to your Technical Implementation Lead.
In the Duo SSO Admin interface, you will create a new application of type ‘Admin API’.
In the next screen, press the ‘Protect’ button next to Admin API in the list.
Under ‘Details’, note and record the API credentials listed. These will be used in Step 2.
Under ‘Settings’, name your application and select only the ‘Read’ checkbox under ‘Grant Resource’.
Then save your changes.
Once the previous steps are completed, notify your Cirrus Technical Implementation Lead that the API access has been granted and securely provide the following information:
Do not use email to communicate this information. There are several options to transfer the token to Cirrus securely - the option chosen will depend on the organization’s security practices.