1. Overview
5. Service Provider Discovery Configuration
Cirrus Discovery is a discovery service conforming to the SAML V2 Identity Provider Discovery Profile. This provides a needed capability in multilateral federation by allowing service providers to determine (or discover) the identity provider associated with an end user attempting to access the service provider. In practical terms, Discovery becomes the interface end users interact with to navigate to the identity provider they will use to authenticate.
Discovery is integrated with InCommon and the trust federations of eduGAIN. This gives customers access to this global metadata resource though an easy to use interface. In addition to these globally defined identity providers, Cirrus can configure IdPs that are customer specific. This allows customers to mix published and unpublished IdPs. These customer specific IdPs can include the Cirrus External Identity Provider. Finally, Discovery is integrated with Cirrus Gateway giving it the capability to also add social identity providers such as Google, Facebook, Microsoft, LinkedIn, or others as peers to traditional IdPs.
Discovery is also fully integrated with other Cirrus Modules, and is configured using the Cirrus Console. Discovery uses the global UI configuration customers establish for their brand and is responsive so it will display equally well on the desktop and on mobile devices. The configuration established for Discovery is carried over to the claim interface for Cirrus Invitation and request based Cirrus Account Linking. The same configuration is also leveraged for Cirrus Self-Registration.
| Discovery Style | Button Style | List Style |
|---|---|---|
| Recommended Number of Identity Providers |
Less than Ten | Large Numbers |
| Supports Federated IdPs | Yes | Yes |
| Supports Social Login | Yes | Yes |
| Supports Custom IdPs | Yes | Yes |
| Control Display Order of IdPs |
Yes | Yes |
| Add Header/Footer Text | Yes | Yes |
| Customize IdP Branding (non-social IdPs only) |
Yes | No |
| Add Text Between IdPs | Yes | No |
| Put IdPs on Different Tabs | No | Yes |
| Search Box for IdPs | No | Yes |
| Supports iframe Embedding |
No | Yes |
Customers can also choose to bypass discovery. This choice is useful in those cases where the navigation for an audience is well understood (for example going from a portal to an application). For more information, see Cirrus Identity Provider Proxy discovery configuration or contact Cirrus Support.
Next you will want to look at Cirrus Discovery | Getting Started.3) If there is an identity provider that is needed by the Discovery audience, but the metadata for the IdP is not published to federation metadata (for example InCommon or eduGAIN), the metadata needs to be sent to Cirrus Identity Support (support@cirrusidentity.com) for configuration.
4) A member of the organization needs to have access to the Cirrus Console and to be granted the “Organization Administrator” (org admin) role for your organization (See Cirrus Console Getting Started).Customers will often subscribe to one or more additional Cirrus Identity modules to support desired implementations. Cirrus Discovery is included with all Cirrus Identity subscriptions.
The following steps are needed to get started with Cirrus Discovery:
Customers should take a moment and think about their Discovery Deployment. Cirrus Identity can offer generally accepted practices, customer stories, and professional services to help. Reviewing the questions covered by the Cirrus Discovery | Planning Steps is a good first step:
Determine your audience
Determine the desired end user experience
Interactions with other Cirrus Modules / Features
Select the style of Discovery to implement
Depending on the customer, Cirrus will provision other modules based on the customer’s subscription (or trial/PoC agreement). Modules such as Cirrus Gateway, Cirrus Invitation, Cirrus Account Linking, Cirrus External Identity Provider, and Cirrus Identity Provider Proxy each have associated setup. See the “Getting Started” for each module as appropriate:
If there is an identity provider that is needed by the Discovery audience, but the metadata for the IdP is not published to federation metadata (for example InCommon or eduGAIN), the metadata needs to be sent to Cirrus Identity Support (support@cirrusidentity.com) for configuration.
A member of the organization needs to have access to the Cirrus Console and to be granted the “Organization Administrator” (org admin) role for your organization (See Cirrus Console Getting Started).
If the SP (or SP side of a Cirrus Identity Provider Proxy) has not already been defined in the Console, an org admin will create the SP in the Console so it can be configured. At this point, the org admin may also designate an SP admin to complete the setup.
From the Cirrus Console, an admin will start the Discovery configuration by picking the required identity providers -- social providers will automatically be included based on the Cirrus Gateway configuration (see Cirrus Gateway Getting Started).
From the Cirrus Console, an admin will then:
Adjust the ordering of the identity providers
Choose either “Button Style” or “List Style”
For “Button Style”; be sure to apply branding for the IdP buttons, and any “spacer” text between the IdP buttons
For “List Style”; options include configuring two tabs to list sets of IdPs separately, configuring for use with iframes, and configuring for search
Add any desired header or footer text
From the Cirrus Console, the admin can save and preview the Discovery configuration
Change the configuration for all SPs that will use Cirrus Discovery - the discovery URL is "https://apps.cirrusidentity.com/console/ds/index". Details for configuring a Shibboleth SP are available here.
Once these steps are complete, you are ready to use Discovery.
To add an identity provider to Discovery , checking the box to the left. The identity provider will appear in the Selected IdPs list. To draw attention to specific identity providers in the Discovery interface, drag them to the “Preferred Providers” list. Preferred providers are listed in the order presented and can be placed on a separate tab in Discovery if desired.
If Cirrus Gateway is also being used, any Social Login Providers will also appear in the Selected IdPs. As with traditional identity providers, the Social Login Provider can be placed on the left to appear in a preferred position.
See Cirrus Discovery getting started for more details.Text headers with associated formatting can be added:
Below are sample configurations of the most common setups our customers use.
If you are using your SP with Cirrus's SAML Proxy then you do not need to configure discovery on your SP. You configure your SP to use the Proxy for authentication and the Proxy will take care of showing the correct discovery interface when a user logins. See Shibboleth Configuration Examples for how to use the Proxy.
If you are trying to customize the user experience for discovery at your SP when using the proxy then view your options.If you are using Cirrus gateway directly with your SP then you can configure your SP to use the Cirrus Discovery Service.
<SSO> block inside shibboleth2.xml<SSO discoveryProtocol="SAMLDS" discoveryURL="https://apps.cirrusidentity.com/console/ds/index"> SAML2 SAML1
</SSO> You simply provide a URL to the Cirrus Discovery Service and Shibboleth will add on any required query parameters.
SSP supports configuring a discovery URL in your SAML:SP authsource.
$config['my-sp'] = array( 'saml:SP',
// A bunch of your configuration 'idp' => NULL,
'discoURL' => 'https://apps.cirrusidentity.com/console/ds/index', );
You set the 'discoURL' to the Cirrus discovery service and set 'idp' to null (or ensure it is not set).
https://apps.cirrusidentity.com/console/ds/index?returnIDParam=idp&otherSetting
© Copyright Cirrus Identity, Inc.