California State University, Monterey Bay

The Cirrus Bridge allowed CSUMB to quickly connect  Okta to both InCommon and CAS authenticated services to provide easy access to all campus users.

The California State University, Monterey Bay (CSUMB) implemented Okta to streamline integration of cloud services. A full migration to Okta was hampered by two gaps:  1) Okta’s Identity Provider cannot readily integrate with Service Providers registered in the InCommon trust federation and 2) Critical CSUMB enterprise applications require the CAS authentication protocol which is not supported by Okta.  CSUMB needed a solution that would allow users  access to InCommon services and also support local applications that used CAS authentication.  One of the applications that uses CAS is the course management system that saw large numbers of daily users.

Okta’s SAML support is based on bilateral connections between Okta’s identity store and each service provider.  This architectural design makes Okta incompatible with mesh federations like InCommon.

With the deployment of Okta and the Cirrus Bridge, CSUMB wanted to decommission their local Shibboleth deployment and retire a CAS shim that was used to support Single Sign-on to a few critical enterprise applications. 

The Bridge from Cirrus Identity addresses both Okta limitations - it provides mesh style federation required by InCommon and CAS to SAML protocol translations required by key applications.  

The Bridge securely consumes InCommon metadata, and supports the registration of a single SAML Identity Provider endpoint for participation in the federation.

The Cirrus Bridge functions as an application within Okta.  Cirrus provides step-by-step instructions and guidance to the Okta Administrator to quickly configure the Bridge within the Okta Portal.  It requires only a few parameters provided by Cirrus Identity to define a new application to point to the Cirrus Bridge.  

The implementation started with an initial assessment of CSUMB’s environment. It was identified that a dedicated Bridge was needed to support the network and security constraints of CSUMB’s large CAS administrative applications. A dedicated CAS Bridge was deployed for those applications and a general purpose Bridge was deployed for InCommon and other CAS service providers. The separate bridges also allowed the deployments to take place at separate times. The administrative Bridge was deployed first at a carefully scheduled deployment window coordinated with the associated applications. This allowed downtime to be minimized. The separate deployments also enabled CSUMB administrators to apply separate policies within Okta. This allows each Bridge instance to have different user and MFA requirements.

After the initial setup, service providers published in InCommon metadata are accessible provided sufficient attributes are released. Since CSUMB had already registered an IdP with InCommon, the certificates and DNS name were transferred to the general purpose Bridge. This enabled the change to be transparent to the InCommon federation.Configuration of non-InCommon or CAS service providers, as well as configuration of attribute release is made by contacting Cirrus Support. In the future, these will be self-service capabilities in the Cirrus Administration Console.

The Bridge saves customers the time and effort they would need to maintain comparable solutions themselves. Cirrus Identity also brings many years of InCommon and CAS experience to help customers quickly deploy to production.

As with many successful IT projects, after the implementation of the Bridge, the end users did not notice a change. An individual can start the day logging into GSuite using Okta and then seamlessly access an InCommon federation application. When an end user sees a login screen, it is always the same one.