Table of Contents 1. Overview 2. Planning Steps 3. Getting Started 4. Using Cirrus Identity...
Cirrus Bridge Documentation
Table of Contents
Multilateral federated identity has become generally accepted practice for most higher education and research organizations in North America, Europe, Asia-Pacific, and increasingly the rest of the World. Unfortunately, many popular commercial solutions for managing identity don’t fully support the technologies for multilateral federation -- relying instead on bilateral registration of each Service Provider (SP) to the Identity Provider (IdP). Additionally many of these solutions don’t support the popular single sign-on (SSO) protocol CAS.
The Cirrus Bridge addresses common Identity Provider limitations such as:
- Only supporting bilateral registration of SAML Service Providers
- Not supporting specification of your own entityID in a domain that you control so that domain validation can be performed
- Not supporting the CAS single sign-on protocol for authentication
- Not supporting assertion of attributes as required by service provider(s) - specifically eduPerson attributes
The Bridge can also be used by an organization architecturally to address several federated identity use cases:
- Participation in a trust federation such as InCommon or one of the other eduGAIN participating federations without needing to run a dedicated Identity Provider such as Shibboleth, SimpleSAMLphp, or SATOSA to support that participation. For example, smaller organizations may have a requirement to participate in a federation, but cannot dedicate resources to bridge between an existing Azure Active Directory environment and the federation.
- Supporting a “Cloud First” strategy while still maintaining existing multilateral capabilities. Many organizations are migrating to commercial solutions. The Cirrus Bridge allows those organizations to maintain the capability they need to continue to participate in federations such as InCommon, one of the eduGAIN participating federations, regional, or industry specific federations.
- Supporting CAS while still migrating to a commercial solution. The CAS protocol has been widely adopted by higher education and many large Higher Ed applications offer it as the only method for SSO integration. The Cirrus Bridge allows organizations to migrate to another solution while maintaining support for CAS. Likewise, there are instances were an application can act as a CAS Identity Provider -- The Cirrus Bridge can be used to present those identities to a SAML based federation.
The Bridge is also part of the Cirrus family of solutions and is fully integrated with:
- Cirrus Discovery to enable the easy configuration of a user interface to select the identity provider for log in
- Cirrus Gateway to enable both social login and organization IdP authentication to service providers
- Cirrus Identity Provider Proxy to support authentication from multiple identity providers
- Cirrus Account Linking to enable linking organizational data to external identities asserted by either social login or federation identity providers
- Cirrus Invitation to enable coarse grained authorization control to services based on sponsors associated with the institution
- Cirrus External Identity Provider to enable organizations to offer a separate guest account with associated password that reflects the organization’s brand but as a SaaS solution