Setting up the Cirrus CAS Bridge Rev 2.0 Table of Contents Overview Allow Cirrus Bridge API Access...
Table of Contents
Step 1 - Console Login and Navigation to Identity Providers
Step 2 - Navigation to CAS Services
Step 3 - Save a copy of your existing CAS Service URLs
Step 4 - Add, update, remove CAS Service URLs
Step 5 - Update needed configuration in Entra ID or Okta
Step 6 - Test your URLs (optional)
Step 7 - Test login for each service provider
Overview
The CAS Services page allows customers to manage their own allowed CAS service urls. Service url patterns may be entered directly as a url or as a regular expression. Regular expressions are preferred for organizations with many CAS service urls because they allow you to map many service urls to a single pattern.
Additionally, the conditional access features allow you to customize the login requirements and attribute release settings for different service providers. The mechanism Cirrus uses for this is a suffix added to the CAS Bridge entity id, which informs the bridge of which application in Entra ID or Okta to redirect to. The configuration to do this involves mapping specific CAS service url patterns to suffixes which are appended to the default entity id for the CAS Bridge.
Please use caution when modifying these patterns. Mistakes when editing or reordering service URL patterns are immediately applied to your Bridge and can be disruptive. We recommend that you save a copy of your CAS service urls before making any changes.
Step 1 - Console Login and Navigation to Identity Providers
Login to the Cirrus Console by clicking the “Cirrus Console” button from the Cirrus Identity website top navigation bar. Once logged in, select your organization from the list under “My Organizations”.
Select “Identity Providers” from the left navigation bar, and then your identity provider from the list of Bridges on the right.
Step 2 - Navigation to CAS Services
Currently, there are two pathways to reach the CAS services screen depending on when your CAS Bridge was provisioned.
Classic Navigation
If your CAS bridge was provisioned before August 2024, please click on “CAS Services” in the left navigation bar to reach the CAS Services screen.
Updated Navigation
If your CAS bridge was provisioned after August 2024, you will come to a screen that first provides the summary of your CAS Bridge.
Scroll down to the bottom of the page until you reach the “CAS Config” section. Then select the “Manage CAS ServiceURLs” link.
Step 3 - Save a copy of your existing CAS Service URLs
If you have existing CAS service urls, we recommend that you export a copy of the configuration before making any changes. Any mistakes when editing or reordering service URL patterns are immediately applied to your Bridge and can be disruptive.
Step 4 - Add, update, remove CAS Service URLs
Use the CAS Services screen to add, remove, and update CAS urls. Each login profile and set of attributes will have its own suffix. There is no suffix for the default.
Step 5 - Update needed configuration in Entra ID or Okta
Ensure that you have created an application in Entra ID or Okta for each suffix you entered in the CAS Service URLs screen. This is how the CAS Bridge knows which enterprise application to send the user to in order get the correct settings and attributes. An example of the mapping is shown below.
|
CAS Service URL Pattern (Regular Expression) |
Suffix |
Entra ID/Okta Application |
Entity ID for Entra ID/Okta App |
|
https?://apps\.campus\.edu/.* |
(none) |
Cirrus CAS Bridge - Default |
https://auth.campus.edu/cas-bridge |
|
https?://localhost(:.+)?.* |
(none) |
Cirrus CAS Bridge - Default |
https://auth.campus.edu/cas-bridge |
|
https?://campus\.eab\.com/.* |
/banner |
Cirrus CAS Bridge - Banner |
https://auth.campus.edu/cas-bridge/banner |
|
https?://(banner|orientation)(-test)?\.campus\.edu/.* |
/banner |
Cirrus CAS Bridge - Banner |
https://auth.campus.edu/cas-bridge/banner |
|
https?://payment\.campus\.edu/.* |
/payment |
Cirrus CAS Bridge - Payment |
https://auth.campus.edu/cas-bridge/payment |
Step 6 - Test your URLs (optional)
Cirrus provides a debug endpoint that you can use to verify that your CAS service urls are accepted and that the correct attributes are released. You can test each of your service urls with this process.
Start with the base url for your Bridge and add the serviceURL and debugMode parameters, i.e. https://campus-cas-bridge.proxy.cirrusidentity.com/cas/login?service=<<serviceURL>>&debugMode=true
Then go to a tool like https://www.urlencoder.org/ to encode the service url and replace <<serviceURL>> with the encoded url. For example, if the service url is https://apps.campus.edu, then your test url will be:
https://campus-cas-bridge.proxy.cirrusidentity.com/cas/login?service=https%3A%2F%2Fapps.campus.edu&debugMode=true
Go to the url to validate that you are redirected to your Entra ID or Okta login screen and then the debug screen. On the debug screen, verify that the attributes are correct for the profile configured for the suffix for the Bridge you are testing.
Step 7 - Test login for each service provider
Once your CAS service urls have been configured in the Cirrus console, you can now configure and test your service providers using the CAS urls provided by your Cirrus Technical Implementation Lead.
Common Issues
There are some common issues that often come up with CAS Service URLs. These are the ones we know about so please review the list if you have a problem. If you run into any issues not on this list, you can reach us at our support email.
© Copyright Cirrus Identity, Inc.
Blog comments