California State University, Monterey Bay
Students, Faculty & Staff Access to InCommon & CAS Services with Okta
Single Sign-OnDescription Goes Here
InCommon / eduGAINDescription Goes Here
The Cirrus Bridge allowed CSUMB to quickly connect Okta to both InCommon and CAS authenticated services to provide easy access to all campus users.
The California State University, Monterey Bay (CSUMB) implemented Okta to streamline integration of cloud services. A full migration to Okta was hampered by two gaps: 1) Okta’s Identity Provider cannot readily integrate with Service Providers registered in the InCommon trust federation and 2) Critical CSUMB enterprise applications require the CAS authentication protocol which is not supported by Okta. CSUMB needed a solution that would allow users access to InCommon services and also support local applications that used CAS authentication. One of the applications that uses CAS is the course management system that saw large numbers of daily users.
Okta’s SAML support is based on bilateral connections between Okta’s identity store and each service provider. This architectural design makes Okta incompatible with mesh federations like InCommon.
With the deployment of Okta and the Cirrus Bridge, CSUMB wanted to decommission their local Shibboleth deployment and retire a CAS shim that was used to support Single Sign-on to a few critical enterprise applications.
Maintain access to InCommon services for campus users.
Partner with IAM professionals so the small IT team could focus on other priorities.
Expedite the implementation of Okta by eliminating technical gaps.
Retire Shibboleth and the CAS shim to reduce technical expense and support needs.
How Cirrus Helped
The Bridge from Cirrus Identity addresses both Okta limitations - it provides mesh style federation required by InCommon and CAS to SAML protocol translations required by key applications.
The Bridge securely consumes InCommon metadata, and supports the registration of a single SAML Identity Provider endpoint for participation in the federation.
The Cirrus Bridge functions as an application within Okta. Cirrus provides step-by-step instructions and guidance to the Okta Administrator to quickly configure the Bridge within the Okta Portal. It requires only a few parameters provided by Cirrus Identity to define a new application to point to the Cirrus Bridge.
The implementation started with an initial assessment of CSUMB’s environment. It was identified that a dedicated Bridge was needed to support the network and security constraints of CSUMB’s large CAS administrative applications. A dedicated CAS Bridge was deployed for those applications and a general purpose Bridge was deployed for InCommon and other CAS service providers. The separate bridges also allowed the deployments to take place at separate times. The administrative Bridge was deployed first at a carefully scheduled deployment window coordinated with the associated applications. This allowed downtime to be minimized. The separate deployments also enabled CSUMB administrators to apply separate policies within Okta. This allows each Bridge instance to have different user and MFA requirements.
After the initial setup, service providers published in InCommon metadata are accessible provided sufficient attributes are released. Since CSUMB had already registered an IdP with InCommon, the certificates and DNS name were transferred to the general purpose Bridge. This enabled the change to be transparent to the InCommon federation.Configuration of non-InCommon or CAS service providers, as well as configuration of attribute release is made by contacting Cirrus Support. In the future, these will be self-service capabilities in the Cirrus Administration Console.
The Bridge saves customers the time and effort they would need to maintain comparable solutions themselves. Cirrus Identity also brings many years of InCommon and CAS experience to help customers quickly deploy to production.
As with many successful IT projects, after the implementation of the Bridge, the end users did not notice a change. An individual can start the day logging into GSuite using Okta and then seamlessly access an InCommon federation application. When an end user sees a login screen, it is always the same one.
"At CSU Monterey Bay we have partnered with Cirrus, andhave recieved top-notch support from them at every turn. Ihighly recommend them, Patrick is the best!We are using their hosted environment to act as a SAMLbridge between InCommon SAML SPs, CAS SPs, and ourOkta IDM. It has worked perfectly."
InCommon & CAS Authenticated Services - The Cirrus Bridge enabled CSUMB to maintain access to critical services and implement Okta.
Intuitive User Experience - Users see the same login screen and use their own credentials.
Reduced IT Staff Support Labor - Utilizing the Cirrus Bridge cloud hosted solution means the small CSUMB IAM team can focus on top priorities!
Retired Legacy Infrastructure - The Shibboleth and CAS environments could be retired - saving on infrastructure, development maintenance and security.
Cirrus Products Used
Federation Bridge & CAS Bridge
Extends or translates CAS/SAML for use with Microsoft AzureAD, Okta, Slate or other enterprise services to support InCommon/EduGAIN mesh style federation.