Console | Getting Started 

The Cirrus Console is the tool admins will use to configure integrations, manage both service providers (SPs) and identity providers (IdPs), set user interface styling, and much more. The Cirrus Console supports federated and social login via our own Discovery and Gateway services! Our customers access the Cirrus Console from their enterprise accounts, so the first step is to establish trust between the Cirrus Console and your enterprise IdP.

1. Your institutional IdP configuration

In order for you to be able to log in to the Cirrus Console, your institutional IdP needs to release either the mail or eduPersonPrincipalName attributes to the Console service provider. This service provider is listed in the InCommon metadata with an entityID of:

2. Make sure you are provisioned as an administrator in the Console

Subscribing customers will have initial organizational administrators (Org Admins) provisioned as part of customer on boarding. Organizations that choose to conduct a trial or a proof-of-concept with Cirrus Identity may also be provisioned with access as part of the trial/proof-of-concept. Organization administrators can add additional administrators at anytime by going to “My Orgs | Admins” in the Console.

3. Log in to the Cirrus Console

Once the individual is set up as an administrator and organization’s Identity Provider is releasing email and/or ePPN attributes to the Console, the individual can try logging in by selecting “Login” from the Cirrus Identity website top navigation bar. The individual will be taken to a Cirrus Discovery Service screen. The individual’s organization will be available as a provider choice. See the next section for additional detail.

Logging into the Cirrus Console

To access the Cirrus Console, click the Login at the top of the Cirrus Identity website. Once you reach the login page, you will need to select your identity/login provider from the Cirrus Discovery Service.

Cirrus Console.png

You can search for your provider by typing in the text field. If your provider is not listed, please contact

Cirrus Console 2.png

If you receive an error when you attempt to log in, a common reason is your organization’s identity provider is not configured to trust the Cirrus Console. Please see Step #1 of Console | Getting Started.

The Cirrus Console - Dashboard

Once logged into the Console, you will be presented with a dashboard that indicates both the organization and the service providers you have access to.


The My Service Providers section lists any service providers which you are able to administer. The My Organizations section lists the organization you are associated with and will be highlighted if you are an organization level administrator. 

Console | My Organizations Menu

You can access the My Organizations section by clicking on the organization name on the dashboard, or by selecting the name in the My Orgs menu at the top of the application.

Console 4.png


The Organization page lists basic information about your organization, like Organization Name, Support Email, Organization URL (this must match a value in the federation metadata), and Global Admins.

Console 5.png


The Admins page is where you manage the attributes about the admins for your organization. On this page you can create and edit admins. Once you have an admin created, you can make that admin a Global Admin on the Organization page, or a Service Provider admin on the Service Providers page.

Console 7.png

Service Providers

The Service Providers page is where you manage which Service Providers are available to your organization and which admin(s) have the ability to manage them. The list of Service Providers comes from the various federation metadata files that the Cirrus Gateway supports, and is derived from the OrganizationURL in the metadata.

Console 8.png

Social Providers

The Social Providers page is where you manage which Social Providers will be made available to your organization. By selecting Social Providers on this page, you will make them available for each Service Provider to use. If you only enable Facebook and Google, then your Service Providers will able to able to use those two providers, and will not be able to use Twitter, Windows Live, etc.

Console 9.png

Console | My SPs Menu

Console 10.png

You can access the configuration for a Service Provider by either clicking on the name of the Service Provider on the dashboard [#1], or by selecting the name of the Service Provider from the My SPs menu [#2] at the top of the page. 

This guide is designed to make setting up your service provider/application in the Gateway Admin Console as smooth as possible.

The instructions below mention the InCommon Federation, but if your institution is a member of another federation or you need a custom metadata setup, send us an email and we will help you track down the appropriate information.

  1. Make sure your SP is registered in your federation’s metadata

  2. Make sure you have set up a SAML DiscoveryResponse endpoint in the metadata

  3. Figure out your "application response location"

  4. Make sure you have accounts with all of the social providers you plan to use with your SP

  5. Gather up the names of the Identity Providers you intend to include in the Discovery Service

  6. Make sure your institutional IdP trusts the Cirrus Gateway Console SP

  7. Login to the Cirrus Gateway Console

1. Register SP With Your Federation

The Cirrus Gateway is designed to work with the SPs from many different federations. The US Higher Education federation is InCommon, and the metadata for the various IdPs and SPs in the federation is managed via the Federation Manager App. If you are a member institution of InCommon (you can view the list on their Current InCommon Participants page), make sure your SP is registered with InCommon. If you are not sure, contact your campus/institution Identity Management group to verify (you can find your campus contact listed on theInCommon IdPs page). If you need a custom metadata setup, and you haven't already discussed that with us, send us email.

2. Set SAML DiscoveryResponse In Metadata

One of the pieces of information that can be supplied about your SP to the InCommon Federation Manager is something called the "Discovery Response Endpoint". This information is usually generated by your SP software, but since it is not mandatory in the Federation Manager App, sometimes the information is not entered. This SAMLDiscoveryResponse endpoint must be entered into the form for your SP. If you have questions about what this endpoint value is, contact your campus/institution Identity Management group, and they should be able to help you figure out what this is. If not, contact, and we can provide you with guidance.

3. Application Response Location

A SAML service provider needs to know where to send a user after he or she has authenticated and the service provider has handled the authentication request for the user. This location is the “application response location”, and it is a URL on your application which usually handles logging a user into the application itself.

4. Social Provider Accounts

In order to allow your application/service provider to use social providers with the Cirrus gateway, you need to establish an OAuth key and secret with each of the providers you wish to use. By doing this setup, you are setting up a trust relationship between your SP, Cirrus, the social provider, and the end-user. You do this by providing details about your application, like name, site URL, logo if you have one, etc., and in exchange the social provider gives you a key that is good only for your application. When this key is presented to the social provider, that is the clue for the social provider to present the user with information about your application.

This will make a lot more sense once you are in the process of setting up your OAuth key and secret (step-by-step instructions are provided for you in the Gateway Admin app itself), but in the mean time, make sure you can log into the following locations (if you are going to be using the provider). This will save you a lot of time later.

NOTE: Some providers allow you to add more than one person to manage the integration. Take advantage of the option when available and/or establish a dedicated administrative account for these integrations. Doing so will avoid relying on a single individual to maintain the integration.

There is a dedicated article with more information on managing social providers HERE.

5. Gather Identity Provider Names

Along with the social providers, the Cirrus Discovery Service allows you to include institutional identity providers (IdPs), like your home institution. Also, depending on the nature of the application, you may want to (or already do) allow people from other institutions to log into your application. So, this step is simply here to make sure you have a rough idea of the various IdPs you want to list in the Discovery Service.

Gateway Service

The basic attributes for each service provider are configured at the top of the Gateway Service page. Help for each attribute is also provided on the page. 

Console 11.png

The Social Providers available for the Service Provider to authenticate are selected at the bottom of the Gateway Service page. Providers selected will be available for configuration, and later presentation in the Discovery Service.

Console 12.png

The list of Social Providers that can be configure for each Service Provider are listed to the left. When initially enabled, the Cirrus Identity Console will indicate providers need to be configured [#3]. The mapping of the attributes for each Social Provider may also be accessed at the bottom of the list [#4].

Console 13.png

Discovery Service

The Discovery Service page is where you configure your service provider to allow users to select identity providers, including social providers, to access the service. The top of the page lists Federated Identity Providers from the different trust federations [#5]. This includes custom federations that have been created by Cirrus Identity such as the "Athena Federation" for our demonstration organization [#6]. Checking the box to the left of an identity provider places it in the Selected IdPs list [#7]. To present the identity provider in the discovery interface as preferred, drag it to the Preferred Providers list [#8]. Preferred Providers can be placed on a separate tab in the discovery interface, select the option to do so below the Preferred Providers list [#9].

Console 14.png


Button Style of discovery interface is available when using the Stand-alone discovery interface type. This will present the discovery interface using large buttons [#10] instead of a list [#11].

Console 15.png

  To configure the button style discovery interface, select Use Button Style [#12] and then configure the options.

Console 16.png

Options to configure and style the Discovery Service user interface are available at the bottom of the page. Help for each option is also provided on the page.

Console 17.png