Documentation | Bridge



Multilateral federated identity has become generally accepted practice for most higher education and research organisations in North America, Europe, Asia-Pacific, and increasingly the rest of the World. Unfortunately, many popular commercial solutions for managing identity don’t fully support the technologies for multilateral federation -- relying instead on bilateral registration of each Service Provider (SP) to the Identity Provider (IdP). Additionally many of these solutions don’t support the popular single sign-on (SSO) protocol CAS.

The Cirrus Bridge addresses common Identity Provider limitations such as:

  • Only supporting bilateral registration of SAML Service Providers

  • Not supporting consumption of metadata from InCommon, one of the other eduGAIN participating federations, state federations, government federations, or industry specific federations

  • Not supporting specification of your own entityID in a domain that you control so that domain validation can be performed

  • Not supporting the CAS single sign-on protocol for authentication

  • Not supporting assertion of attributes as required by service provider(s) - specifically eduPerson attributes

The Bridge can also be used by an organization architecturally to address several federated identity use cases:

  • Participation in a trust federation such as InCommon or one of the other eduGAIN participating federations without needing to run a dedicated Identity Provider such as Shibboleth, SimpleSAMLphp, or SATOSA to support that participation. For example, smaller organizations may have a requirement to participate in a federation, but cannot dedicate resources to bridge between an existing Azure Active Directory environment and the federation.

  • Supporting a “Cloud First” strategy while still maintaining existing multilateral capabilities. Many organizations are migrating to commercial solutions. The Cirrus Bridge allows those organizations to maintain the capability they need to continue to participate in federations such as InCommon, one of the eduGAIN participating federations, regional, or industry specific federations.

  • Supporting CAS while still migrating to a commercial solution. The CAS protocol has been widely adopted by higher education and many large Higher Ed applications offer it as the only method for SSO integration. The Cirrus Bridge allows organizations to migrate to another solution while maintaining support for CAS. Likewise, there are instances were an application can act as a CAS Identity Provider -- The Cirrus Bridge can be used to present those identities to a SAML based federation.


The Bridge is also part of the Cirrus family of solutions and is fully integrated with:

  • Cirrus Discovery to enable the easy configuration of a user interface to select the identity provider for log in

  • Cirrus Gateway to enable both social login and organization IdP authentication to service providers

  • Cirrus Identity Provider Proxy to support authentication from multiple identity providers

  • Cirrus Account Linking to enable linking organizational data to external identities asserted by either social login or federation identity providers

  • Cirrus Invitation to enable coarse grained authorization control to services based on sponsors associated with the institution

  • Cirrus External Identity Provider to enable organizations to offer a separate guest account with associated password that reflects the organization’s brand but as a SaaS solution

Like the Cirrus Proxy, The Bridge has at its foundation the well tested and widely adopted SimpleSAMLphp (SSP) open source project. Cirrus Identity is both an active participant, and contributor to the SSP community. We believe basing our solution on SSP allows us to both actively participate in the global academic identity management community, and focus on delivering effective solutions to our customers.