Cirrus OrgBrandedID Documentation

Table of Contents

1. Overview

2. Planning Steps

3. Getting Started

4. Using Cirrus OrgBrandedID


Cirrus’ OrgBrandedID is a SAML compliant identity provider with a lightweight registration capability. To create an external identity, the end user provides a name, email address and any custom data required. The Registration process validates the email address and collects a password that meets the policies of the organization.

Once registered, the identity can be used for accessing any SAML service provider (or CAS with the Cirrus Proxy service) as illustrated in the diagram below.

  • End users can create an account in the OrgBrandedID (upper right) to access enterprise applications (in the middle)
  • The OrgBrandedID can be a peer with other federated SAML identity providers
  • Easily configurable to reflects the organization branding and credential policies
  • Integrated into both the Cirrus Identity Invitation and Account Linking solutionsCirrus’s External Identity Provider is a SAML-compliant IdP solution allowing your users to login to any SAML compliant (or CAS, via our identity proxy) application.
 Common Uses

Planning Steps

The Cirrus OrgBrandedID is often used to provide access to users who do not have a federated identity and who prefer not to access services via social login. In identity management parlance, the OrgBrandedID service is an “identity provider of last resort”. It is helpful to consider a few factors before deployment:
1) Who is the target audience?
  • Do individuals have a valid email address?
2) What is/are the Service Providers that will be accessed?
  • Are the Service Providers registered with InCommon or one of the other eduGAIN federations? -- If not, you will need to share the metadata with Cirrus Identity (there are a few options for handling this).
3) How will password reset be handled?
  • Sending a reset token to the registered email address is the default configuration.
  • Configuring reset via security questions is another option Cirrus supports.
4) How will this identity provider be branded?
  • What will it be called?

Next you will want to look at Cirrus OrgBrandedID | Getting Started.

Getting Started

Customers subscribing to Cirrus OrgBrandedID will have an instance provisioned during customer on-boarding.
Customers often subscribe to one or more additional Cirrus Identity modules to support desired implementations. Customers often configure the OrgBrandedID, alongside other Cirrus solutions such as the Cirrus GatewayCirrus Identity Provider ProxyCirrus Account Linking, and/or Cirrus Invitation.
The following are the steps needed to get started using Cirrus OrgBrandedID:

1) Customers should take a moment and think about their OrgBrandedID deployment. Cirrus Identity can offer generally accepted practices, customer stories, and professional services to help. Reviewing the questions covered by the Cirrus OrgBrandedID | Planning Steps is a good first step:
  • Who is the target audience?
  • What is/are the Service Providers that will be accessed?
  • How will password reset be handled?
  • How will this identity provider be branded?
2) Depending on the customer, Cirrus will provision other modules based on the customer’s subscription. Modules such as Cirrus Gateway, Cirrus Identity Provider Proxy, and Cirrus Invitation each have associated setup. See the “Getting Started” for each module as appropriate:
3) If there is a service provider (SP) that will use the OrgBrandedID, but the metadata for the SP is not published to federation metadata (for example InCommon or eduGAIN), the metadata needs to be sent to Cirrus Identity Support ( for configuration. Additionally, if there is an SP with special attribute requirements, regardless where the metadata is published, that also needs to be communicated to Cirrus Identity Support.

4) A member of the organization needs to have access to the Cirrus Console and to be granted the “Organization Administrator” (org admin) role for your organization. (See Cirrus Console Getting Started)
5) Before the OrgBrandedID can be completely setup, an “Organization Administrator” must complete the setup of the customer organization’s user interface.
6) Cirrus Identity will provide a URL so that customers can download the metadata for the OrgBrandedID. This will need to be added to any service providers (other than Cirrus Identity Provider Proxies) that need to leverage the OrgBrandedID.

Once these steps are complete, you are ready to add the OrgBrandedID to the configurations of other Cirrus Modules.

Using Cirrus OrgBrandedID

User Self-Service

The Cirrus OrgBrandedID uses a user self-service interface to allow users to register and reset their passwords.
Visit the registration interface for your instance to see the options available. The URL to access the tenant will be of the form "".
Self service options include:
  • Account Registration
  • Account Activation
  • Forgot UserID
  • Forgot Password
  • Change Password
  • Change Security Questions


In the Discovery Service configuration page of the Cirrus Console, the OrgBrandedID will appear under your custom federation under Federated Identity Providers. The default name for the IdP is "OrganizationName Guest IdP". You can request a different name via if you prefer. You can add the IdP to any SPs discovery interface by clicking the check box next to the name, and clicking Save.


Service Provider Configuration

Your service provider will need to trust the OrgBrandedID. This is achieved by consuming metadata for the OrgBrandedID.
First, you'll need to the public key used to sign the metadata.

# Retrieve the certificate
$ /usr/bin/curl --silent > ~/Downloads/metadata-signing.crt
# Validate its fingerprint
$ openssl x509 -noout -in ~/Downloads/metadata-signing.crt -fingerprint -sha1
SHA1 Fingerprint=56:C4:D7:77:8D:9F:C8:03:40:E4:B4:9F:77:67:57:A1:F4:52:91:1D
And then configure your SP to consume the metadata.
<!-- Non-social IdP's managed by Cirrus -->
<!-- Replace _NAME_ with the organization name provided by Cirrus -->
<MetadataProvider type="XML" url=""
backingFilePath="cirrus-metadata-signed.xml" reloadInterval="14400">
<MetadataFilter type="Signature" certificate="/path/to/metadata-signing.crt"/>

© Copyright Cirrus Identity, Inc.

Blog comments