Customer Success Use Case

California State University, Monterey Bay

Students, Faculty & Staff Access to InCommon & CAS Services with Okta

Cirrus Identity SSO

Single Sign-On

Description Goes Here
Cirrus InCommon & eduGAIN

InCommon / eduGAIN

Description Goes Here


The Cirrus Bridge allowed CSUMB to quickly connect  Okta to both InCommon and CAS authenticated services to provide easy access to all campus users.

Business Challenge

The California State University, Monterey Bay (CSUMB) implemented Okta to streamline integration of cloud services. A full migration to Okta was hampered by two gaps:  1) Okta’s Identity Provider cannot readily integrate with Service Providers registered in the InCommon trust federation and 2) Critical CSUMB enterprise applications require the CAS authentication protocol which is not supported by Okta.  CSUMB needed a solution that would allow users  access to InCommon services and also support local applications that used CAS authentication.  One of the applications that uses CAS is the course management system that saw large numbers of daily users.

Okta’s SAML support is based on bilateral connections between Okta’s identity store and each service provider.  This architectural design makes Okta incompatible with mesh federations like InCommon.

With the deployment of Okta and the Cirrus Bridge, CSUMB wanted to decommission their local Shibboleth deployment and retire a CAS shim that was used to support Single Sign-on to a few critical enterprise applications. 

Project Goals


Maintain access to InCommon services for campus users.


Partner with IAM professionals so the small IT team could focus on other priorities.


Expedite the implementation of Okta by eliminating technical gaps.


Retire Shibboleth and the CAS shim to reduce technical  expense and support needs.

How Cirrus Helped

The Bridge from Cirrus Identity addresses both Okta limitations - it provides mesh style federation required by InCommon and CAS to SAML protocol translations required by key applications.  

The Bridge securely consumes InCommon metadata, and supports the registration of a single SAML Identity Provider endpoint for participation in the federation.

The Cirrus Bridge functions as an application within Okta.  Cirrus provides step-by-step instructions and guidance to the Okta Administrator to quickly configure the Bridge within the Okta Portal.  It requires only a few parameters provided by Cirrus Identity to define a new application to point to the Cirrus Bridge.  

The implementation started with an initial assessment of CSUMB’s environment. It was identified that a dedicated Bridge was needed to support the network and security constraints of CSUMB’s large CAS administrative applications. A dedicated CAS Bridge was deployed for those applications and a general purpose Bridge was deployed for InCommon and other CAS service providers. The separate bridges also allowed the deployments to take place at separate times. The administrative Bridge was deployed first at a carefully scheduled deployment window coordinated with the associated applications. This allowed downtime to be minimized. The separate deployments also enabled CSUMB administrators to apply separate policies within Okta. This allows each Bridge instance to have different user and MFA requirements.

After the initial setup, service providers published in InCommon metadata are accessible provided sufficient attributes are released. Since CSUMB had already registered an IdP with InCommon, the certificates and DNS name were transferred to the general purpose Bridge. This enabled the change to be transparent to the InCommon federation.Configuration of non-InCommon or CAS service providers, as well as configuration of attribute release is made by contacting Cirrus Support. In the future, these will be self-service capabilities in the Cirrus Administration Console.

The Bridge saves customers the time and effort they would need to maintain comparable solutions themselves. Cirrus Identity also brings many years of InCommon and CAS experience to help customers quickly deploy to production.

As with many successful IT projects, after the implementation of the Bridge, the end users did not notice a change. An individual can start the day logging into GSuite using Okta and then seamlessly access an InCommon federation application. When an end user sees a login screen, it is always the same one.

Login Screen



"At CSU Monterey Bay we have partnered with Cirrus, and have received top-notch support from them at every turn. I highly recommend them, Patrick is the best! We are using their hosted environment to act as a SAML bridge between InCommon SAML SPs, CAS SPs, and our Okta IDM. It has worked perfectly."

Nick Rodrigues, Lead Network Operations Analyst

InCommon & CAS  Authenticated Services - The Cirrus Bridge enabled CSUMB to maintain access to critical services and implement Okta


Intuitive User Experience - Users see the same login screen and use their own credentials.  


Reduced IT Staff Support Labor - Utilizing the Cirrus Bridge cloud hosted solution means the small CSUMB IAM team can focus on top priorities!


Retired Legacy Infrastructure - The Shibboleth and CAS environments could be retired - saving on infrastructure, development maintenance and security. 

Cirrus Products Used

High Level Architecture


California State University, Monterey Bay


California State University, Monterey Bay (CSUMB) is envisioned as a comprehensive state university which values service through high quality education. The campus will be distinctive in serving the diverse people of California, especially the working class and historically undereducated and low-income populations.