Posted by Cirrus Learning Center Team on Jun 25, 2024 3:10:32 PM
Cirrus Learning Center Team

Table of Contents 

Overview

Requirements 

Site Administrator Access

Cirrus Proxy SP Parameters for InCommon Registration

Contacts and User Interface Elements

Registering the SP

Entity ID

Contacts

User Interface Elements

SP SSO Settings

Signing and Encryption Keys

Entity Attributes

Media Export Options

Review and Submit

Overview

The Cirrus Identity Provider Proxy is a solution to enable cross-organizational collaboration. 

The Proxy serves as a central access point for multiple Identity Providers, allowing audiences to access Service Providers (SPs), thereby ensuring a unified user experience. 

Many customers register their Cirrus Proxy SP in InCommon to establish trust and the sharing of metadata with InCommon Federated IdPs. This post summarizes the information you need to register an SP as a Research and Scholarship (R&S) entity in InCommon and provides some guidance on the process. 

In addition, here are the instructions posted on the InCommon Federation Library Wiki about how to add a service provider: https://spaces.at.internet2.edu/display/federation/federation-manager-add-sp

Requirements

Site Administrator Access

See the following to get access to Federation Manager:

https://spaces.at.internet2.edu/display/federation/federation-manager-requirements

Cirrus Proxy SP Parameters for InCommon Registration

Once the Cirrus Proxy is provisioned, Cirrus will provide the following parameters to register your Cirrus Proxy as an SP in InCommon. 

Entity ID

Entity IDs serve as a unique identifier in the Federation. Careful selection of an Entity ID is important as it cannot be easily changed once the Cirrus Identity Proxy has been provisioned. 

It is also recommended the Entity ID be rooted in the customer organization DNS domain. This both simplifies registration with Federation Manager for InCommon and also streamlines the application for Research and Scholarship Entity Category tagging if desired. 

Although they look like a URL, they are not meant to resolve to an IP address. A general practice with some organizations is to “park” the fully qualified domain name (FQDN) of the Entity ID for record-keeping purposes. 

https://cirrus-someapp-proxy.example.edu/sp

Assertion Consumer Service Endpoint

The Proxy uses only the post-binding endpoint: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 

This binding is “used for sending SAML assertions between Identity Providers (IdPs) and Service Providers (SPs) during the authentication and single sign-on (SSO) process.”

https://TENANT.proxy.cirrusidentity.com/saml2/idp/SSOService.php

Discovery Response Endpoints

The Discovery Response Endpoints redirect users to the appropriate service or login endpoint.

• https://TENANT.proxy.cirrusidentity.com/module.php/saml/sp/request-init.php/TENANT

• https://TENANT.proxy.cirrusidentity.com/module.php/saml/sp/discoresp.php

Cert

The location to download the SP public key. (Do I need to say something about it being the same as the IdP public key since the url ends in idp.crt?)

• https://TENANT.proxy.cirrusidentity.com/module.php/saml/idp/certs.php/idp.crt

Contacts and User Interface Elements

Before registering, the Site Administrator should also have the following information available:

The name and email address of the following designated SP contacts. 

• Technical contact – “A Technical Contact responds to technical inquiries and incidents such as troubleshooting software, systems, or networking issues. To ensure a timely response and continuity, a Technical Contact should point to a technical operations group rather than an individual.“ (Required) ~ InCommon Wiki

Administrative contact –” An Administrative Contact handles non-technical, business process-related matters. Fellow federation participants and end users contact individuals in this role to address non-technical issues such as attribute release policy, onboarding issues, privacy, assurance certification, and other business operation matters.” (Required) ~ InCommon Wiki

Security contact –”A Security Contact is your service's security incident response team, or at least the intake point for security incident response. Fellow federation participants contact persons in this role to coordinate security incidents involving federated access.” (Required) ~ InCommon Wiki

• Support contact – “A Support Contact is the party responsible for end-user support for your service. A Support Contact typically points to the service's help desk. While optional, it is good practice to include your service's help desk in your metadata so that, where appropriate, parties interoperating with you can direct a user to the correct support desk. “(Recommended) ~ InCommon Wiki

The following user interface elements. 

This list can also be found on InCommon’s Wiki: https://spaces.at.internet2.edu/display/federation/saml-metadata-mdui-elements

Setting

Required

Description

Display Name

Required

The display name for the SP. 

Description

Highly Recommended

The description should be a short paragraph explaining the purpose of the service. This is user-facing. 

Information URL

Required if the entity is a part of the REFEDS R&S category; Strongly recommended otherwise.

Information URL points to a web page where you may further elaborate details about your service or organization. Information URL is required if your service is a part of the REFEDS Research & Scholarship entity category.

Privacy URL

Required

A link to a privacy policy that covers the identities asserted by your Azure AD instance. 

Logo

Required

Logo URL points to the web location of a logo for the service/organization.

The logo must be hosted on the organization's website and directly available from a URL (InCommon does not support redirection).

This logo is displayed wherever your Display Name may be displayed to help the user quickly identify your service.

Cirrus Identity does not support hosting a logo.

Registering the SP

After logging into the Federation Manager, you should see a button to add a New Service Provider.

This will start a wizard asking you for the values needed to register the Service Provider. Many of these values are required as set by InCommon Baseline Requirements. See https://spaces.at.internet2.edu/display/federation/federation-manager-add-sp for the details of registering a new SP with the Federation Manager. 

Entity ID

The wizard will start by asking for the Entity ID. Enter the Entity ID exactly as provided by Cirrus Identity. Once entered, the Entity ID cannot be changed. If the Entity ID is entered incorrectly, you must delete the registration and start over. See https://spaces.at.internet2.edu/display/federation/saml-metadata-entityid for details.

Contacts

The wizard will ask for the following contact information:

• Administrative

• Technical

• Security

• Support

See https://spaces.at.internet2.edu/display/federation/saml-metadata-contacts for details.

User Interface Elements

The wizard will ask for some user interface elements for the organization. See https://spaces.at.internet2.edu/display/federation/saml-metadata-mdui-elements for details.

SP SSO Settings

The wizard will ask for some user interface elements for the organization. See https://spaces.at.internet2.edu/display/federation/saml-metadata-mdui-elements for details.

Assertion Consumer Endpoint - Enter the value provided by Cirrus.

Discovery Response Endpoint - Enter the values provided by Cirrus.

Requested Attributes - Cirrus Identity recommends not specifying Requested Attributes. While that capability may be useful for some organizations, Cirrus Identity customers generally have better success without it.

Single Logout Service Endpoints - Leave blank.

Signing and Encryption Keys

“An SP metadata must contain at least one encryption key. If you only have one encryption key, you cannot delete that key (or uncheck "this key is used for encryption") until you have uploaded another.” ~InCommon Wiki

For details, see https://spaces.at.internet2.edu/display/federation/saml-metadata-cryptographic-keys.

The wizard will ask for the certificate to be used for the SAML protocol. Upload the one provided by Cirrus Identity. 

Entity Attributes

• SIRTFI Compliance – This is required to register the SP. See https://spaces.at.internet2.edu/display/federation/Declare+Sirtfi+compliance for details.

• Research and Scholarship - Service Providers need to apply if they would like to be tagged as a Research and Scholarship entity.  “Joining the Research and Scholarship entity category streamlines access to your research resource by eliminating one-off, manual, and labor-intensive attribute release negotiations.” ~ InCommon Wiki

Here is the InCommon Research and Scholarship Application 

Media Export Options

• Exporting Service Provider Metadata to eduGAIN – Cirrus recommends checking this box. See https://spaces.at.internet2.edu/display/federation/saml-metadata-export-options for details.

Review and Submit

Once all data has been entered, review and submit the registration to InCommon. Depending on the time of day the submission takes place, InCommon will publish the metadata within 24 to 72 business hours. It can take an additional 24 to 48 hours for the metadata to propagate to service providers reliant on the global eduGAIN metadata service. 

Visit Understanding entity status in Federation Manager for additional information on possible entity status in Federation Manager. ~ InCommon Wiki