Why does a Cirrus Bridge need read-only API access?

When integrated with Entra ID, Okta, or Duo SSO, the Cirrus Bridge supports application policy configuration in these upstream systems, allowing you to consolidate your security controls into your enterprise system of choice.

This policy is requested via API by the Cirrus Identity Bridge, allowing you to:

• Configure the Cirrus Bridge to support application-specific settings on-demand without coordinating with Cirrus Support. 
• Leverage features like Entra ID Conditional Access on an application-by-application basis.
• Have granular control of attribute release, user/group assignment, and other configuration options within the Entra ID or the Okta administrative portals.

What information is requested?

The Cirrus Identity Bridge requires an application’s metadata URL, application ID, and application name. Attributes and other user information are retrieved by the Bridge via SAML assertion, so there is no need to authorize access to read user information or any other object permissions unless required by the integrated provider.

What authorizations do I need to provide, and what does Cirrus do with that access?

The Cirrus Identity Bridge requests and persists the least amount of information possible to function. Least privilege access varies by integrated identity provider:

Entra ID

The Cirrus Identity Bridge for Entra ID requests application information at the time a user attempts to authenticate through the Bridge.

The minimum permission to validate application trust and settings in Entra ID through the Entra ID API is Application.Read.All. Entra ID Bridges do not persist any application information outside of event logs, which are subject to a 90 day retention period. Information about applications not receiving traffic is never requested.

Okta

The Cirrus Identity Bridge for Okta requests application information periodically, and persists only information assigned to an Okta group designating an application as authorized for use with the Cirrus Bridge.

The minimum viable read-only permission supported by the Okta API is “Read-only Administrator”, which includes authorization to read user and policy information beyond application details. This access is never used by Cirrus Identity for any purpose.

Duo SSO

The Cirrus Identity Bridge for Duo SSO requests application information periodically, and persists only information for applications that list the Cirrus Bridge as a valid return endpoint.

DuoAPI is “Grant resource”, which includes authorization to read user information. This access is never used by Cirrus Identity for any purpose – all user information passing through the Bridge is received and transmitted via SAML assertions.