Table of Contents
Cirrus Proxy SP Parameters for InCommon Registration
Contacts and User Interface Elements
Overview
The Cirrus Identity Provider Proxy is a solution to enable cross-organizational collaboration.
The Proxy serves as a central access point for multiple Identity Providers, allowing audiences to access Service Providers (SPs), thereby ensuring a unified user experience.
Many customers register their Cirrus Proxy SP in InCommon to establish trust and the sharing of metadata with InCommon Federated IdPs. This post summarizes the information you need to register an SP as a Research and Scholarship (R&S) entity in InCommon and provides some guidance on the process.
In addition, here are the instructions posted on the InCommon Federation Library Wiki about how to add a service provider: https://spaces.at.internet2.edu/display/federation/federation-manager-add-sp
Requirements
Site Administrator Access
See the following to get access to Federation Manager:
https://spaces.at.internet2.edu/display/federation/federation-manager-requirements
Cirrus Proxy SP Parameters for InCommon Registration
Once the Cirrus Proxy is provisioned, Cirrus will provide the following parameters to register your Cirrus Proxy as an SP in InCommon.
Entity ID
Entity IDs serve as a unique identifier in the Federation. Careful selection of an Entity ID is important as it cannot be easily changed once the Cirrus Identity Proxy has been provisioned.
It is also recommended the Entity ID be rooted in the customer organization DNS domain. This both simplifies registration with Federation Manager for InCommon and also streamlines the application for Research and Scholarship Entity Category tagging if desired.
Although they look like a URL, they are not meant to resolve to an IP address. A general practice with some organizations is to “park” the fully qualified domain name (FQDN) of the Entity ID for record-keeping purposes.
• https://cirrus-someapp-proxy.example.edu/sp
Assertion Consumer Service Endpoint
The Proxy uses only the post-binding endpoint: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
This binding is “used for sending SAML assertions between Identity Providers (IdPs) and Service Providers (SPs) during the authentication and single sign-on (SSO) process.”
• https://TENANT.proxy.cirrusidentity.com/saml2/idp/SSOService.php
Discovery Response Endpoints
The Discovery Response Endpoints redirect users to the appropriate service or login endpoint.
• https://TENANT.proxy.cirrusidentity.com/module.php/saml/sp/request-init.php/TENANT
• https://TENANT.proxy.cirrusidentity.com/module.php/saml/sp/discoresp.php
Cert
The location to download the SP public key. (Do I need to say something about it being the same as the IdP public key since the url ends in idp.crt?)
• https://TENANT.proxy.cirrusidentity.com/module.php/saml/idp/certs.php/idp.crt
Contacts and User Interface Elements
Before registering, the Site Administrator should also have the following information available:
The name and email address of the following designated SP contacts.
• Technical contact – “A Technical Contact responds to technical inquiries and incidents such as troubleshooting software, systems, or networking issues. To ensure a timely response and continuity, a Technical Contact should point to a technical operations group rather than an individual.“ (Required) ~ InCommon Wiki
• Administrative contact –” An Administrative Contact handles non-technical, business process-related matters. Fellow federation participants and end users contact individuals in this role to address non-technical issues such as attribute release policy, onboarding issues, privacy, assurance certification, and other business operation matters.” (Required) ~ InCommon Wiki
• Security contact –”A Security Contact is your service's security incident response team, or at least the intake point for security incident response. Fellow federation participants contact persons in this role to coordinate security incidents involving federated access.” (Required) ~ InCommon Wiki
• Support contact – “A Support Contact is the party responsible for end-user support for your service. A Support Contact typically points to the service's help desk. While optional, it is good practice to include your service's help desk in your metadata so that, where appropriate, parties interoperating with you can direct a user to the correct support desk. “(Recommended) ~ InCommon Wiki
The following user interface elements.
This list can also be found on InCommon’s Wiki: https://spaces.at.internet2.edu/display/federation/saml-metadata-mdui-elements
|
Setting |
Required |
Description |
|
Display Name |
Required |
The display name for the SP. |
|
Description |
Highly Recommended |
The description should be a short paragraph explaining the purpose of the service. This is user-facing. |
|
Information URL |
Required if the entity is a part of the REFEDS R&S category; Strongly recommended otherwise. |
Information URL points to a web page where you may further elaborate details about your service or organization. Information URL is required if your service is a part of the REFEDS Research & Scholarship entity category. |
|
Privacy URL |
Required |
A link to a privacy policy that covers the identities asserted by your Azure AD instance. |
|
Logo |
Required |
Logo URL points to the web location of a logo for the service/organization. The logo must be hosted on the organization's website and directly available from a URL (InCommon does not support redirection). This logo is displayed wherever your Display Name may be displayed to help the user quickly identify your service. Cirrus Identity does not support hosting a logo. |
Registering the SP
After logging into the Federation Manager, you should see a button to add a New Service Provider.
This will start a wizard asking you for the values needed to register the Service Provider. Many of these values are required as set by InCommon Baseline Requirements. See https://spaces.at.internet2.edu/display/federation/federation-manager-add-sp for the details of registering a new SP with the Federation Manager.
Entity ID
The wizard will start by asking for the Entity ID. Enter the Entity ID exactly as provided by Cirrus Identity. Once entered, the Entity ID cannot be changed. If the Entity ID is entered incorrectly, you must delete the registration and start over. See https://spaces.at.internet2.edu/display/federation/saml-metadata-entityid for details.
Contacts
The wizard will ask for the following contact information:
• Administrative
• Technical
• Security
• Support
See https://spaces.at.internet2.edu/display/federation/saml-metadata-contacts for details.
User Interface Elements
The wizard will ask for some user interface elements for the organization. See https://spaces.at.internet2.edu/display/federation/saml-metadata-mdui-elements for details.
SP SSO Settings
The wizard will ask for some user interface elements for the organization. See https://spaces.at.internet2.edu/display/federation/saml-metadata-mdui-elements for details.
Assertion Consumer Endpoint - Enter the value provided by Cirrus.
Discovery Response Endpoint - Enter the values provided by Cirrus.
Requested Attributes - Cirrus Identity recommends not specifying Requested Attributes. While that capability may be useful for some organizations, Cirrus Identity customers generally have better success without it.
Single Logout Service Endpoints - Leave blank.
Signing and Encryption Keys
“An SP metadata must contain at least one encryption key. If you only have one encryption key, you cannot delete that key (or uncheck "this key is used for encryption") until you have uploaded another.” ~InCommon Wiki
For details, see https://spaces.at.internet2.edu/display/federation/saml-metadata-cryptographic-keys.
The wizard will ask for the certificate to be used for the SAML protocol. Upload the one provided by Cirrus Identity.
Entity Attributes
• SIRTFI Compliance – This is required to register the SP. See https://spaces.at.internet2.edu/display/federation/Declare+Sirtfi+compliance for details.
• Research and Scholarship - Service Providers need to apply if they would like to be tagged as a Research and Scholarship entity. “Joining the Research and Scholarship entity category streamlines access to your research resource by eliminating one-off, manual, and labor-intensive attribute release negotiations.” ~ InCommon Wiki
Here is the InCommon Research and Scholarship Application
Media Export Options
• Exporting Service Provider Metadata to eduGAIN – Cirrus recommends checking this box. See https://spaces.at.internet2.edu/display/federation/saml-metadata-export-options for details.
Review and Submit
Once all data has been entered, review and submit the registration to InCommon. Depending on the time of day the submission takes place, InCommon will publish the metadata within 24 to 72 business hours. It can take an additional 24 to 48 hours for the metadata to propagate to service providers reliant on the global eduGAIN metadata service.
Visit Understanding entity status in Federation Manager for additional information on possible entity status in Federation Manager. ~ InCommon Wiki