Allow Cirrus Bridge API Access
This document outlines the steps required to configure the Cirrus Bridge for Duo SSO. Your Cirrus Technical Implementation Lead will provide you with the values specific to your Bridge and you will follow the steps below to configure. Each Cirrus Bridge can support both SAML and CAS, and each are configured as separate applications within Duo. If you are running a SAML-only or CAS-only Bridge, then you only need to add the applications for your protocol.
Additionally, each unique authentication profile requires its own Duo application. An authentication profile includes the NameID format and value, set of attributes, and set of signing and encryption settings. A typical implementation will include the default profle(s) for each protocol, and then one or more additional profiles if required by the service providers. Your Cirrus Technical Implementation Lead will work with you to develop these additional profiles and provide support for configuration.
This step is completed during the provisioning process with the Cirrus Technical Implementation lead. Follow the steps for Duo SSO if you have not already done so.
In the Duo SSO Admin interface, you will create a new application of type ‘Generic SAML Service Provider - Single Sign-On’.
Now that the application is created, you will enter the configuration information in subsequent steps.
First name your application with a name that is meaningful for you that indicates its function. Then determine if you want to enable access for all users or limit to a specific group. Generally, we recommend to enable for all users, unless your institution has a security policy that limits sign-on for specific groups.
For Duo, the Cirrus Bridge is considered a Service Provider. Since it sits in between Duo and the applications, it acts as a service provider to Duo and an identity provider to downstream applications. In this step, you will add the Service Provider configuration. Metadata Discovery should be set to ‘None (manual input)’ and then you will enter the values provided by Cirrus for Entity ID, Assertion Consumer Service (ACS) URL, and Single Logout URL. The additional field should be left blank.
Here you will set the NameID format, Signature Algorithm, Signing Options, and Map Attributes.
Here is a list of attributes and default mappings that we set up by default for the REFEDS Research & Scholarship profile. We recommend using the urns for attributes and adding friendly names as needed. If you are converting from an IdP that sends both urn and friendly name, then you will need to add both as separate attributes.
| Attribute (friendlyName) | OID | Suggested Duo SSO Attribute |
| Display Name (displayName) | urn:oid:2.16.840.1.113730.3.1.241 | Display Name |
| Email address (mail) | urn:oid:0.9.2342.19200300.100.1.3 | Email Address |
| Given Name (givenName) | urn:oid:2.5.4.42 | First Name |
| Surname (sn) | urn:oid:2.5.4.4 | Last Name |
| eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | Username ** |
** Note: eduPersonPrincipalName should be statically assigned, invariant, persistent, not case sensitive, and scoped. The Duo SSO Username can be used as long as it meets this criteria. See our blog post on Picking a Good eduPersonPrincipalName for additional guidance.
For reference, you can find the urns for common attributes in the reference page for REFEDS eduPerson.
For the REFEDS MFA context, your institution can assert that MFA is required for all users by sending a custom attribute. The attribute name is ‘cirrus.rule.authnContext’ and value is ’https://refeds.org/profile/mfa’.
The Policy, Global Policy, and Settings sections may be filled out per your institution’s security and compliance policies. They affect the user experience when logging into Duo and are up to customers to implement as they see fit.
Scroll all the way to the bottom of the screen to find the ‘Save’ button and press it to save your application.
Once the default application is configured, you will test the integration using the test application provided by Cirrus Identity to test authentication to your Cirrus Bridge.
The testing endpoint URL is unique for your Cirrus Bridge implementation and will be provided to you by Cirrus.
Example: https://athena-bridge.proxy.cirrusidentity.com/demo.php
Click on the link for ‘Test authenticating with your Cirrus proxy’.
Authenticate and review. You should be prompted for MFA if you have enabled it. After successfully authenticating, you should see a screen for your institution similar to the one for the Athena Institute below.
To validate the MFA requirement, click to view AuthData and look for the AuthnContext of “https://refeds.org/profile/mfa”.
The process to add additional applications for different profiles involves following the same steps in the ‘Configure SAML Application’ section of this document, except with different values depending on the requirement for the service provider. The key difference is the Entity ID. For the default, we use the entity id for the bridge to signal to the bridge for the default. For additional applications with unique profiles, the Entity ID or entity category of the application is entered. Note that the ACS URL and the Single Logout URL is the same for all applications that use the Cirrus Bridge.
The additional sections here outline how to change the different configuration items that may be needed for different authentication profiles.
In addition to transient Name ID which does not require a value, Duo also supports persistent, emailAddress, and unspecified formats. These formats require that you select a value when configuring.
Cirrus also supports passthrough of additional valid Name ID formats as required. Your Technical Implementation Lead can provide more information on how to do that.
If you need to update the signing options, you can do that in the ‘SAML Response’ section.
By default, Cirrus does not set up encryption at the start of implementation due to challenges with debugging and visibility in SAML Traces. If you would like to add encryption, ask your Cirrus Technical Implementation Lead for the link to the encryption certificate for your Bridge and download the certificate.
Then edit your Duo SSO application and navigate to the ‘SAML Response’ section. There, you will check the box to ‘Encrypt the SAML Assertion’ and upload the certificate you just downloaded to Cirrus and Save.