External Identity Provider | Using Cirrus External Identity Provider

User Self-Service

The Cirrus External Identity Provider uses a user self-service interface to allow users to register and reset their passwords. 

Visit the registration interface for your instance (https://tenantId.idp.cirrusidentity.com/cirrusid/) to see the options available.

Self service options include:

  • Account Registration

  • Account Activation

  • Forgot UserID

  • Forgot Password

  • Change Password

  • Change Security Questions


In the Discovery Service configuration page of the Cirrus Console, the External IdP will appear under your custom federation under Federated Identity Providers. The default name for the IdP is "OrganizationName Guest IdP". You can request a different name via support@cirrusidentity.com if you prefer. You can add the IdP to any SPs discovery interface by clicking the check box next to the name, and clicking Save.

Service Provider Configuration

Your service provider will need to trust the External IdP. This is achieved by consuming metadata for the External IdP.

First, you'll need to the public key used to sign the metadata.

# Retrieve the certificate
$ /usr/bin/curl --silent
https://md.cirrusidentity.com/metadata/metadata-signing.crt >
# Validate its fingerprint
$ openssl x509 -noout -in ~/Downloads/metadata-signing.crt  -fingerprint -sha1

    SHA1 Fingerprint=56:C4:D7:77:8D:9F:C8:03:40:E4:B4:9F:77:67:57:A1:F4:52:91:1D


And then configure your SP to consume the metadata.

<!-- Non-social IdP's managed by Cirrus -->
<!-- Replace _NAME_ with the organization name provided by Cirrus -->
<MetadataProvider type="XML" url="https://md.cirrusidentity.com/metadata/_NAME_/cirrus-metadata-signed.xml"
backingFilePath="cirrus-metadata-signed.xml" reloadInterval="14400">
            <MetadataFilter type="Signature" certificate="/path/to/metadata-signing.crt"/>