Cirrus customers who implement a Cirrus Bridge using DNS Add-on can test authentication to Service Providers (SPs) via the Cirrus Bridge before going live without disrupting their production environment. This document provides more information about the DNS Add-on and how to test your Cirrus SAML Bridge.
About the DNS Add-On
The DNS Add-On for the Cirrus Bridge supports migrating authentications from an existing SAML or CAS deployment (such as Shibboleth, simpleSAMLphp, Apereo CAS, Ping, Gluu, Fischer, NetIQ, or Ellucian EIS/Ethos) to the Cirrus Bridge without changes to the configured Service Providers (including all federated SPs). Essentially what it does is point your existing SAML or CAS FQDN to the Cirrus Bridge location using DNS. This enables faster and lower effort transitions to the Cirrus Bridge by eliminating the need for application administrators to change Service Provider configuration.
Testing with the DNS Add-On for SAML Bridge
Deployments of the Cirrus Bridge for customers with existing SSO involve a certain amount of testing. This ensures the attribute release and other aspects of SSO have been properly migrated from the existing deployment to the Cirrus Bridge deployment. This testing has to occur in a way that doesn’t disrupt the existing production SSO deployment.
For SSO protocols like SAML that exchange HTTP requests and responses that only pass through the end user’s web browser, testing with the DNS Add-On can be accomplished very effectively. The end user workstation is locally modified to change the FQDN to point from the existing SSO server’s IP to the IP address of the Cirrus Bridge.
This leaves the production SSO Server undisturbed while testers test authenticating to applications via the Cirrus Bridge.
Most users do this by adding a line to their hosts file. Typically the hosts file is found on Unix/Linux at /etc/hosts and at C:\Windows\System32\Drivers\etc\hosts for Windows. The Cirrus implementations team will provide the information for your hosts file.
Testing Strategy
Testing every SP may not be feasible for customers with many Service Providers to test. In this case, Cirrus Identity recommends identifying the most critical SPs and prioritizing testing those. Thinking about testing at the beginning of the project is prudent because it may take some time to communicate with the testing stakeholders and organize the time to test.
Troubleshooting
To troubleshoot a test authentication gone awry, you should run a SAML trace while authenticating to the SP you are testing via the Cirrus SAML Bridge. You should also run a second SAML trace while authenticating to the SP currently in Production via the existing Shib server for comparison.
Cirrus will need these JSON SAML Trace files to assist you and see what is happening behind the scenes. Here is a Cirrus blog post about How to Perform a SAML Trace: https://blog.cirrusidentity.com/how-to-perform-a-saml-trace.
If you have further troubleshooting questions, contact Cirrus Support at support@cirrusidentity.com