External Identity Provider | Planning Steps

The Cirrus External Identity Provider is often used to provide access to users who do not have a federated identity and who prefer not to access services via social login. In identity management parlance, the External Identity Provider service is an “identity provider of last resort”. It is helpful to consider a few factors before deployment:

  1. Who is the target audience?

    • Do individuals have a valid email address?

  2. What is/are the Service Providers that will be accessed?

    • Are the Service Providers registered with InCommon or one of the other eduGAIN federations? -- If not, you will need to share the metadata with Cirrus Identity (there are a few options for handling this).

  3. How will password reset be handled?

    • Sending a reset token to the registered email address is the default configuration.

    • Configuring reset via security questions is another option Cirrus supports.

  4. How will this identity provider be branded?

    • What will it be called?

Next you will want to look at Cirrus External Identity Provider | Getting Started.

External Identity Provider | Getting Started

Customers subscribing to Cirrus External Identity Provider will have an instance provisioned during customer on-boarding.

Customers often subscribe to one or more additional Cirrus Identity modules to support desired implementations. Customers often configure the External Identity Provider, alongside other Cirrus solutions such as the Cirrus Gateway, Cirrus Identity Provider Proxy, Cirrus Account Linking, and/or Cirrus Invitation.

The following are the steps needed to get started using Cirrus External Identity Provider:

  1. Customers should take a moment and think about their External IdP deployment. Cirrus Identity can offer generally accepted practices, customer stories, and professional services to help. Reviewing the questions covered by the Cirrus External Identity Provider | Planning Steps is a good first step:

    • Who is the target audience?

    • What is/are the Service Providers that will be accessed?

    • How will password reset be handled?

    • How will this identity provider be branded?

  2. Depending on the customer, Cirrus will provision other modules based on the customer’s subscription (or trial/PoC agreement). Modules such as Cirrus Gateway, Cirrus Identity Provider Proxy, and Cirrus Invitation each have associated setup. See the “Getting Started” for each module as appropriate:

  3. If there is a service provider (SP) that will use the External IdP, but the metadata for the SP is not published to federation metadata (for example InCommon or eduGAIN), the metadata needs to be sent to Cirrus Identity Support (support@cirrusidentity.com) for configuration. Additionally, if there is an SP with special attribute requirements, regardless where the metadata is published, that also needs to be communicated to Cirrus Identity Support.

  4. A member of the organization needs to have access to the Cirrus Console and to be granted the “Organization Administrator” (org admin) role for your organization. (See Cirrus Console Getting Started)

  5. Before the External IdP can be completely setup, an “Organization Administrator” must complete the setup of the customer organization’s user interface.

  6. Cirrus Identity will provide a URL so that customers can download the metadata for the External IdP. This will need to be added to any service providers (other than Cirrus Identity Provider Proxies) that need to leverage the External IdP.

Once these steps are complete, you are ready to add the External IdP to the configurations of other Cirrus Modules.

External Identity Provider | Using Cirrus External Identity Provider

User Self-Service

The Cirrus External Identity Provider uses a user self-service interface to allow users to register and reset their passwords. 

Visit the registration interface for your instance (https://tenantId.idp.cirrusidentity.com/cirrusid/) to see the options available.

Self service options include:

  • Account Registration

  • Account Activation

  • Forgot UserID

  • Forgot Password

  • Change Password

  • Change Security Questions


In the Discovery Service configuration page of the Cirrus Console, the External IdP will appear under your custom federation under Federated Identity Providers. The default name for the IdP is "OrganizationName Guest IdP". You can request a different name via support@cirrusidentity.com if you prefer. You can add the IdP to any SPs discovery interface by clicking the check box next to the name, and clicking Save.

Service Provider Configuration

Your service provider will need to trust the External IdP. This is achieved by consuming metadata for the External IdP.

First, you'll need to the public key used to sign the metadata.

# Retrieve the certificate
$ /usr/bin/curl --silent
https://md.cirrusidentity.com/metadata/metadata-signing.crt >
# Validate its fingerprint
$ openssl x509 -noout -in ~/Downloads/metadata-signing.crt  -fingerprint -sha1

    SHA1 Fingerprint=56:C4:D7:77:8D:9F:C8:03:40:E4:B4:9F:77:67:57:A1:F4:52:91:1D


And then configure your SP to consume the metadata.

<!-- Non-social IdP's managed by Cirrus -->
<!-- Replace _NAME_ with the organization name provided by Cirrus -->
<MetadataProvider type="XML" url="https://md.cirrusidentity.com/metadata/_NAME_/cirrus-metadata-signed.xml"
backingFilePath="cirrus-metadata-signed.xml" reloadInterval="14400">
            <MetadataFilter type="Signature" certificate="/path/to/metadata-signing.crt"/>