Gateway | Configuring a Service Provider

Metadata Configuration

In the Cirrus Gateway, each social provider has its own SAML metadata endpoint. We take each of these endpoints and put them into a metadata bundle. You will need to configure your SAML SP to consume metadata for the social provider IdP endpoints. Since we may add a new social provider to the service at any time, it is best if you refresh the metadata on a daily basis.

Using the Cirrus SAML Proxy?

If you are integrating your SP with the Cirrus SAML Proxy then you probably want to be consuming the proxy metadata bundle, not the gateway bundle. Proxies are customer specific and you'll want to follow our instructions on consuming customer metadata.

XML Metadata

An XML version of the social provider metadata bundle is available at the following URL:

You can also find per entity metadata for each IdP endpoint for the social providers.

Provider
Metadata
Facebook https://md.cirrusidentity.com/metadata/CirrusIdentitySocialProviders-Facebook-metadata.xml
Google https://md.cirrusidentity.com/metadata/CirrusIdentitySocialProviders-Google-metadata.xml
Instagram https://md.cirrusidentity.com/metadata/CirrusIdentitySocialProviders-Instagram-metadata.xml
LinkedIn https://md.cirrusidentity.com/metadata/CirrusIdentitySocialProviders-LinkedIn-metadata.xml
Twitter https://md.cirrusidentity.com/metadata/CirrusIdentitySocialProviders-Twitter-metadata.xml
Microsoft https://md.cirrusidentity.com/metadata/CirrusIdentitySocialProviders-Live-metadata.xml
Weibo https://md.cirrusidentity.com/metadata/CirrusIdentitySocialProviders-Weibo-metadata.xml
Yahoo! https://md.cirrusidentity.com/metadata/CirrusIdentitySocialProviders-Yahoo-metadata.xml

Metadata Configuration - Shibboleth SP

Metadata for the Shibboleth Service Provider is configured in the shibboleth2.xml file. An example configuration for the Gateway metadata bundle is as follows:

<MetadataProvider type="XML" url="https://md.cirrusidentity.com/metadata/CirrusIdentitySocialProviders-metadata.xml" backingFilePath="/<path to local file>/CirrusIdentitySocialProviders-metadata.xml" reloadInterval="86400">
    <MetadataFilter type="RequireValidUntil" maxValidityInterval="1209600"/>
</MetadataProvider>

Replace <path to local file> with the actual path to a file on your server. This file must be writable by the Shibboleth process.

For details on all of the available configuration options, please see the Shibboleth NativeSPMetadataProvider documentation.

Metadata Configuration - SimpleSAMLphp Service Provider

A PHP version of the social provider metadata bundle that is suitable for saml20-idp-remote.php is available here. Although it is acceptable to configure the metadata directly in saml20-idp-remote.php, it is best to use the metarefresh module. An example configuration for the Gateway metadata bundle is as follows:

$config = array(
    'sets' => array(
        'incommon' => array(
            'cron'      => array('daily'),
            'sources'   => array(
                array(
                    'src' => 'https://md.cirrusidentity.com/metadata/CirrusIdentitySocialProviders-metadata.xml',
                ),
            ),
            'expireAfter'       => 60*60*24*4, // Maximum 4 days cache time.
            'outputDir'     => '<path to local directory>',
            'outputFormat' => 'serialize',
        ),
    )
);

Replace <path to local directory> with the actual path to a directory on your server. This directory must be writable by the web server process.

For details on using the metarefresh module, please see the SimpleSAMLphp Automated Metadata Management documentation.

Links to Social Identity Provider Developer Consoles

The Cirrus Gateway currently supports seven social identity providers and three protocols. Details about each provider are listed below.

Provider Protocol Documentation
AOL OpenID OpenID Info
Facebook OpenID Connect (OAuth) App Console
Platform Policy
Google OAuth API Console
API Terms of Service
LinkedIn OAuth App Console
API Terms of Use
Twitter OAuth App Console
API Terms of Use
Windows Live (Hotmail) OAuth App Console
Microsoft Developer Services Agreement
Yahoo! OpenID OpenID Info

Configuring Attribute Release

Overview

Attribute release by the Cirrus Gateway is designed to be as privacy-preserving as possible. By this we mean that, the Gateway will only release attributes to the Service Provider (SP) which are actually requested by the Service Provider. In order to accomplish this, the Gateway looks for a list of attributes in the SP's metadata. These attributes are listed in the AttributeConsumingService section of the metadata. If the Gateway finds attributes in this list (that the gateway itself releases, like givenName and sn), it will release them to the SP (provided that the social provider also releases them). If there are no attributes listed in the SP's metadata, i.e., theAttributeConsumingService section does not exist, then the Gateway will release all attributes which are given to the Gateway by the social provider, and which we have documented in Attribute Mappings.

Configuring Attributes to Release

As mentioned above, the Gateway looks for the AttributeConsumingService section in the SP's metadata to determine which attributes to release. The code below shows what this looks like if you want to have givenNamesnmail, andeduPersonPrincipalName released to your SP by the Gateway:

<SPSSODescriptor>
    ....
    <AttributeConsumingService index="1" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <RequestedAttribute FriendlyName="givenName" 
          Name="urn:oid:2.5.4.42" 
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
        <RequestedAttribute FriendlyName="sn" 
          Name="urn:oid:2.5.4.4"
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
        <RequestedAttribute FriendlyName="mail" 
          Name="urn:oid:0.9.2342.19200300.100.1.3"
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
        <RequestedAttribute FriendlyName="eduPersonPrincipalName" 
          Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" 
          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
    </AttributeConsumingService>
</SPSSODescriptor>

Set Attributes in the InCommon Federation Manager

If you are a member of the InCommon Federation, then you can (and, in fact, must) set the attributes to release using the InCommon Federation Manager (FM). (If you do not have access to the InCommon FM, and you are not sure whom to contact, you can look up the contact information for your organization on the InCommon Service Categories page.)

The image below shows the "Requested Attributes" (see red arrow) section of the Service Provider configuration page in the InCommon Federation Manager application. In the image, we have already selected the four attributes we want, and are displaying the popup list which shows other available attributes to select (but note, the Cirrus Gateway does not necessarily support them).

Metadate.png

Configuring ePPN

The only thing that is consistent about the attributes which are returned by the various social identity providers is that they are inconsistent. 

The Cirrus Gateway Console allows you to choose an option for how to map eduPersonPrincipalName. The options are:

  • None

  • Email

  • Unique ID scoped to the provider

Provider Recommended Option Notes
AOL Email Since AOL is a mail provider, you should get back a value with a scope of @aol.com. Because of this, the AOL social provider endpoint is also scoped to @aol.com, and, therefore, you should not have any issues with this ePPN option running afoul of the default Shibboleth Service Provider attribute policy.
Facebook Unique ID scoped to the provider (@facebook.com) As of Spring 2014, Facebook is no longer returning the Facebook username, and instead is returning an "application scoped" ID, i.e., a targeted ID. Please see the idsection of the Facebook Graph API documentation. This means that each SP that has its own integration with Facebook, will get a different ID for the same user. Therefore, if you are planning to use the Cirrus Identity Invitation Service, you must share the same API Key/Secret with each of the SPs that will be integrated with Facebook.
Google Unique ID scoped to the provider (@google.com) Google's unique ID is the ID that shows for a user on their Google+ Profile page. Even if the user has not enabled Google+, the user still has this ID (even if the user is a Google Apps for Business or Education customer).
LinkedIn Unique ID scoped to the provider Like Facebook, LinkedIn only provides a targeted ID. However, with LinkedIn the situation is quite a bit more severe, in that a user's ID is tied to the actual API Key/Secret, and not the LinkedIn application that you associate with your SP. The reason this is important to note is, unlike Facebook which does not allow you to change your API Key/Secret, LinkedIn does allow you to regenerate your API Key/Secret for any application, and if you do this, user ID will change! Therefore, if you use LinkedIn, be sure to never change your API Key/Secret. Also, just as with Facebook, if you want to use the Cirrus Identity Invitation Service, you must share the same API Key/Secret with each of the SPs that will be integrated with LinkedIn.
Twitter Unique ID scoped to the provider (@twitter.com) Like Google, Twitter provides and ID that is unique to the user, and we recommend that you use this ID which will be scoped to @twitter.com.
Windows Live (Hotmail) Unique ID scoped to the provider (@live.com) Like Google, and Twitter, Windows Live provides an ID that is unique to the user, and we recommend that you use this ID which will be scoped to @live.com.
Yahoo! Email Since Yahoo! is a mail provider, you should get back a value with a scope of@yahoo.com. Because of this, the Yahoo! social provider endpoint is also scoped to@yahoo.com, and. therefore, you should not have any issues with this ePPN option running afoul of the default Shibboleth Service Provider attribute policy.

Gateway | Metadata for simpleSAMLphp

Social Provider Metadata Bundle for SimpleSAMLphp (PHP)

A PHP version of the social provider metadata bundle that is suitable for saml20-idp-remote.php is available below. Although it is acceptable to configure the metadata directly in saml20-idp-remote.php, it is best to use the metarefresh  module. Please see the SimpleSAMLphp Automated Metadata Management documentation.

$metadata['https://aol.cirrusidentity.com/gateway'] = array (
  'entityid' => 'https://aol.cirrusidentity.com/gateway',
  'contacts' => 
  array (
    0 => 
    array (
      'contactType' => 'technical',
      'surName' => 'Support',
      'emailAddress' => 
      array (
        0 => 'support@cirrusidentity.com',
      ),
    ),
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://aol.cirrusidentity.com/idp/SSOService/HTTP-Redirect',
    ),
  ),
  'SingleLogoutService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://aol.cirrusidentity.com/idp/SLOService/HTTP-Redirect',
    ),
  ),
  'ArtifactResolutionService' => 
  array (
  ),
  'keys' => 
  array (
    0 => 
    array (
      'encryption' => false,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIEAjCCAuoCCQDJ5RtOxMd2gTANBgkqhkiG9w0BAQUFADCBwjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxHzAdBgNVBAMTFmFvbC5jaXJydXNpZGVudGl0eS5jb20xKTAnBgkqhkiG9w0BCQEWGnN1cHBvcnRAY2lycnVzaWRlbnRpdHkuY29tMB4XDTE0MDEwOTE2MzM0NVoXDTM0MDEwODE2MzM0NVowgcIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRAwDgYDVQQHEwdPYWtsYW5kMR4wHAYDVQQKExVDaXJydXMgSWRlbnRpdHksIEluYy4xIDAeBgNVBAsTF0NpcnJ1cyBJZGVudGl0eSBHYXRld2F5MR8wHQYDVQQDExZhb2wuY2lycnVzaWRlbnRpdHkuY29tMSkwJwYJKoZIhvcNAQkBFhpzdXBwb3J0QGNpcnJ1c2lkZW50aXR5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJz1cny5sQLIf4QrSJKxDkmDEa5vJcYceB22hAkMCM5GXbWBu7cmuqeqFbZePo0EXVG3pWdoS4BGOCPhZpnXxf+1r8LQZFAvjAGZaSPiuDt+GVF5Y6KSSvO0DNaqAEe0eXXXMlZaiayMwQp9WCSiJ8unhpPTPEK/nc6WbKqFrzLtVchyBx6cCiTwlds+9oY33Y6dezHjUek2u+3zo0T9Om7qDsiKKkaPzBcaPGz5tRCRjnXyl8BQtPngvntd2SzVLmxmP7IZ3d9jXZ7d1qdEt0Xj7VSeQmGOXioWnLVcfZq8yWz9Nog6A9VDwCeofDedz12fEJWHQwQWu25/0l19+sCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEABAh7f9vJw5z1dwcXl3CVhBzUqJvXavOpGZJqJiTTzzCZIfmvfpCYVL23P42Qd+wTsqtGQaeobbX29knMfMXz7rDIJsKo1k0znFYQUfsK0xJPOQsMKuL5KjULEgvmJpa8+ENXXJFiDvfYqKmePUGUR6dY/6DDbFy+hCFNAse20LqUF1GvCsCXG74lNYPGM/ZuqWrHqdqZWvvtf5C0E0MpsYtjQG9FVSfzvTxZmcNjSCrdyWTb0MvQ7hBdEQXArvcd6zxj4F7pLBROhBge8MtiYS+/TJXRUu1TIVQHPqihObOJBO0hQWyZT6qIslJYWHU/9C+M1zBUy/LeP+GEcNzD3A==',
    ),
    1 => 
    array (
      'encryption' => true,
      'signing' => false,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIEAjCCAuoCCQDJ5RtOxMd2gTANBgkqhkiG9w0BAQUFADCBwjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxHzAdBgNVBAMTFmFvbC5jaXJydXNpZGVudGl0eS5jb20xKTAnBgkqhkiG9w0BCQEWGnN1cHBvcnRAY2lycnVzaWRlbnRpdHkuY29tMB4XDTE0MDEwOTE2MzM0NVoXDTM0MDEwODE2MzM0NVowgcIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRAwDgYDVQQHEwdPYWtsYW5kMR4wHAYDVQQKExVDaXJydXMgSWRlbnRpdHksIEluYy4xIDAeBgNVBAsTF0NpcnJ1cyBJZGVudGl0eSBHYXRld2F5MR8wHQYDVQQDExZhb2wuY2lycnVzaWRlbnRpdHkuY29tMSkwJwYJKoZIhvcNAQkBFhpzdXBwb3J0QGNpcnJ1c2lkZW50aXR5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJz1cny5sQLIf4QrSJKxDkmDEa5vJcYceB22hAkMCM5GXbWBu7cmuqeqFbZePo0EXVG3pWdoS4BGOCPhZpnXxf+1r8LQZFAvjAGZaSPiuDt+GVF5Y6KSSvO0DNaqAEe0eXXXMlZaiayMwQp9WCSiJ8unhpPTPEK/nc6WbKqFrzLtVchyBx6cCiTwlds+9oY33Y6dezHjUek2u+3zo0T9Om7qDsiKKkaPzBcaPGz5tRCRjnXyl8BQtPngvntd2SzVLmxmP7IZ3d9jXZ7d1qdEt0Xj7VSeQmGOXioWnLVcfZq8yWz9Nog6A9VDwCeofDedz12fEJWHQwQWu25/0l19+sCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEABAh7f9vJw5z1dwcXl3CVhBzUqJvXavOpGZJqJiTTzzCZIfmvfpCYVL23P42Qd+wTsqtGQaeobbX29knMfMXz7rDIJsKo1k0znFYQUfsK0xJPOQsMKuL5KjULEgvmJpa8+ENXXJFiDvfYqKmePUGUR6dY/6DDbFy+hCFNAse20LqUF1GvCsCXG74lNYPGM/ZuqWrHqdqZWvvtf5C0E0MpsYtjQG9FVSfzvTxZmcNjSCrdyWTb0MvQ7hBdEQXArvcd6zxj4F7pLBROhBge8MtiYS+/TJXRUu1TIVQHPqihObOJBO0hQWyZT6qIslJYWHU/9C+M1zBUy/LeP+GEcNzD3A==',
    ),
  ),
  'scope' => 
  array (
    0 => 'aol.com',
  ),
  'UIInfo' => 
  array (
    'DisplayName' => 
    array (
      'en' => 'AOL',
    ),
    'Description' => 
    array (
    ),
    'InformationURL' => 
    array (
    ),
    'PrivacyStatementURL' => 
    array (
    ),
  ),
);
$metadata['https://facebook.cirrusidentity.com/gateway'] = array (
  'entityid' => 'https://facebook.cirrusidentity.com/gateway',
  'contacts' => 
  array (
    0 => 
    array (
      'contactType' => 'technical',
      'surName' => 'Support',
      'emailAddress' => 
      array (
        0 => 'support@cirrusidentity.com',
      ),
    ),
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://facebook.cirrusidentity.com/idp/SSOService/HTTP-Redirect',
    ),
  ),
  'SingleLogoutService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://facebook.cirrusidentity.com/idp/SLOService/HTTP-Redirect',
    ),
  ),
  'ArtifactResolutionService' => 
  array (
  ),
  'keys' => 
  array (
    0 => 
    array (
      'encryption' => false,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIEDDCCAvQCCQC5VzyqrrLDFjANBgkqhkiG9w0BAQUFADCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxJDAiBgNVBAMTG2ZhY2Vib29rLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wHhcNMTQwMTA5MTYzNDIwWhcNMzQwMTA4MTYzNDIwWjCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxJDAiBgNVBAMTG2ZhY2Vib29rLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDlJlxymOPqgPh4N/4/iSG+9w6Up6XRMOul+rb6KW9T37gAiFyjTITuWyhaDg+P3b3aspj57p7LJlB4dMOT23KELbzOb1Y/rWtCRJ7zGF4GyUAY0ceyYnmSftMphqv2292ohAyn3AL2Idl4Bpcz0E+sJEKddGZT4rvpLsC6zii+xPkhc0BhHH9yzi5zZoEp/tjHvBvCyT28bJayxGdgzdDR0vWtW+37WGIxX/k6gQNH2wkNQEpvpYcyVOGFk44pEOZd9Jw8eqYEjfUMvH+lFZbVee2PvR3fLhZzEcVmZ3lJfWU60LUBCQMENF9CzOAmGMiXpA2jQ7ZeX4LzOZD7jJzXAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAJ/z51TTS2mO47HLCTwS3+ejnhUkNsAGTcbWa+nwuntNAYbIZQTG5ed6jX0c0q5Oi3m4JO93EzUzsNeMHAtW4XBPAv7txMgmcH+UMmDmH64L91F23g1yj5n6uI8RtK9M0ZlSVEv7tShz/oNFAFfyB6jJ9KmGjW/m/gQhtoBYqr3p9xQMszipIP+fCP9s9eY8fsytqzDTRtLx0k6/aZpXqzLrtA+povdHD5WOfIKdJMvJDvyXU9Z6jUKhYyH/uFPU6ZsY9BTp69XeUyXS3Orbz9xHlaq+JGtaTERNPbJENzDjqsx7RPt5r/Jk7KY3ODkVYMLJjFXgDINZZSLKegSh8U8=',
    ),
    1 => 
    array (
      'encryption' => true,
      'signing' => false,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIEDDCCAvQCCQC5VzyqrrLDFjANBgkqhkiG9w0BAQUFADCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxJDAiBgNVBAMTG2ZhY2Vib29rLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wHhcNMTQwMTA5MTYzNDIwWhcNMzQwMTA4MTYzNDIwWjCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxJDAiBgNVBAMTG2ZhY2Vib29rLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDlJlxymOPqgPh4N/4/iSG+9w6Up6XRMOul+rb6KW9T37gAiFyjTITuWyhaDg+P3b3aspj57p7LJlB4dMOT23KELbzOb1Y/rWtCRJ7zGF4GyUAY0ceyYnmSftMphqv2292ohAyn3AL2Idl4Bpcz0E+sJEKddGZT4rvpLsC6zii+xPkhc0BhHH9yzi5zZoEp/tjHvBvCyT28bJayxGdgzdDR0vWtW+37WGIxX/k6gQNH2wkNQEpvpYcyVOGFk44pEOZd9Jw8eqYEjfUMvH+lFZbVee2PvR3fLhZzEcVmZ3lJfWU60LUBCQMENF9CzOAmGMiXpA2jQ7ZeX4LzOZD7jJzXAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAJ/z51TTS2mO47HLCTwS3+ejnhUkNsAGTcbWa+nwuntNAYbIZQTG5ed6jX0c0q5Oi3m4JO93EzUzsNeMHAtW4XBPAv7txMgmcH+UMmDmH64L91F23g1yj5n6uI8RtK9M0ZlSVEv7tShz/oNFAFfyB6jJ9KmGjW/m/gQhtoBYqr3p9xQMszipIP+fCP9s9eY8fsytqzDTRtLx0k6/aZpXqzLrtA+povdHD5WOfIKdJMvJDvyXU9Z6jUKhYyH/uFPU6ZsY9BTp69XeUyXS3Orbz9xHlaq+JGtaTERNPbJENzDjqsx7RPt5r/Jk7KY3ODkVYMLJjFXgDINZZSLKegSh8U8=',
    ),
  ),
  'scope' => 
  array (
    0 => 'facebook.com',
  ),
  'UIInfo' => 
  array (
    'DisplayName' => 
    array (
      'en' => 'Facebook',
    ),
    'Description' => 
    array (
    ),
    'InformationURL' => 
    array (
    ),
    'PrivacyStatementURL' => 
    array (
    ),
  ),
);
$metadata['https://google.cirrusidentity.com/gateway'] = array (
  'entityid' => 'https://google.cirrusidentity.com/gateway',
  'contacts' => 
  array (
    0 => 
    array (
      'contactType' => 'technical',
      'surName' => 'Support',
      'emailAddress' => 
      array (
        0 => 'support@cirrusidentity.com',
      ),
    ),
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://google.cirrusidentity.com/idp/SSOService/HTTP-Redirect',
    ),
  ),
  'SingleLogoutService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://google.cirrusidentity.com/idp/SLOService/HTTP-Redirect',
    ),
  ),
  'ArtifactResolutionService' => 
  array (
  ),
  'keys' => 
  array (
    0 => 
    array (
      'encryption' => false,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIECDCCAvACCQDG6tQKXONUEzANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxIjAgBgNVBAMTGWdvb2dsZS5jaXJydXNpZGVudGl0eS5jb20xKTAnBgkqhkiG9w0BCQEWGnN1cHBvcnRAY2lycnVzaWRlbnRpdHkuY29tMB4XDTE0MDEwOTE2MzUzNloXDTM0MDEwODE2MzUzNlowgcUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRAwDgYDVQQHEwdPYWtsYW5kMR4wHAYDVQQKExVDaXJydXMgSWRlbnRpdHksIEluYy4xIDAeBgNVBAsTF0NpcnJ1cyBJZGVudGl0eSBHYXRld2F5MSIwIAYDVQQDExlnb29nbGUuY2lycnVzaWRlbnRpdHkuY29tMSkwJwYJKoZIhvcNAQkBFhpzdXBwb3J0QGNpcnJ1c2lkZW50aXR5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNGjc5vM/ZP5uZLH3merv21m5y3CYOKJ1ZVolBlu/6FL0ssYbORtzHdX8PuUZ6WdVW9w55ORE9A+2edFUB1lRj5BGJwfW0A6TbKfPNtrc3IxkcRFpJHAf4ew6WNXtCL/UdvXP2e3it8GxP6Gl5r6HZXL3GPmYPlkEMsNsWLkmWDKCheYd+tbIZvcKnFcDUH2UGNCpMkQmfzHyFm9D02eCwY2K17Y1UzxQpHonrSQv/afPmF0O5eXFiHXu/27cyzCxTAWI5NjN/5RcYgYLF4tjsv9aBc+Tm9oKH7CfvB/D13GTWj+vwmuVlk/RyWYO7tsd79jMcTk9h8tzoEhjqa7IsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAJ0Zx87ITJt+Uuks7AzC83uheOKUwH88sSa6XsdRNYtmXplWfxUAQn/eiZ8Fzj/nb+2udhK1oPmAltDmel6qM5BcTaAv7k9D2Gvi3QrTt1czS1m3rOwN7FU3RkIJhG32CVJNMnYkzK+JSMYFOpHoZQy46Fn66onBqwCG7aYTNr5uOzG0hdM7K3RSF5PHeXjY7X63crgL2BNtlHhPR0ZFRPcYuWFzRdYV5+1Gu5qdSLcFMmIX2DlZn5vpcQBEPCEyMe+o0tBFSMeeUFjlOVrmF28hMwdsmwYc68dn7Bw9yjHlp7/nhRtrKRrjj4+/1Zybc/EeVBn9ccka+o2a4ubqRjQ==',
    ),
    1 => 
    array (
      'encryption' => true,
      'signing' => false,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIECDCCAvACCQDG6tQKXONUEzANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxIjAgBgNVBAMTGWdvb2dsZS5jaXJydXNpZGVudGl0eS5jb20xKTAnBgkqhkiG9w0BCQEWGnN1cHBvcnRAY2lycnVzaWRlbnRpdHkuY29tMB4XDTE0MDEwOTE2MzUzNloXDTM0MDEwODE2MzUzNlowgcUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRAwDgYDVQQHEwdPYWtsYW5kMR4wHAYDVQQKExVDaXJydXMgSWRlbnRpdHksIEluYy4xIDAeBgNVBAsTF0NpcnJ1cyBJZGVudGl0eSBHYXRld2F5MSIwIAYDVQQDExlnb29nbGUuY2lycnVzaWRlbnRpdHkuY29tMSkwJwYJKoZIhvcNAQkBFhpzdXBwb3J0QGNpcnJ1c2lkZW50aXR5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNGjc5vM/ZP5uZLH3merv21m5y3CYOKJ1ZVolBlu/6FL0ssYbORtzHdX8PuUZ6WdVW9w55ORE9A+2edFUB1lRj5BGJwfW0A6TbKfPNtrc3IxkcRFpJHAf4ew6WNXtCL/UdvXP2e3it8GxP6Gl5r6HZXL3GPmYPlkEMsNsWLkmWDKCheYd+tbIZvcKnFcDUH2UGNCpMkQmfzHyFm9D02eCwY2K17Y1UzxQpHonrSQv/afPmF0O5eXFiHXu/27cyzCxTAWI5NjN/5RcYgYLF4tjsv9aBc+Tm9oKH7CfvB/D13GTWj+vwmuVlk/RyWYO7tsd79jMcTk9h8tzoEhjqa7IsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAJ0Zx87ITJt+Uuks7AzC83uheOKUwH88sSa6XsdRNYtmXplWfxUAQn/eiZ8Fzj/nb+2udhK1oPmAltDmel6qM5BcTaAv7k9D2Gvi3QrTt1czS1m3rOwN7FU3RkIJhG32CVJNMnYkzK+JSMYFOpHoZQy46Fn66onBqwCG7aYTNr5uOzG0hdM7K3RSF5PHeXjY7X63crgL2BNtlHhPR0ZFRPcYuWFzRdYV5+1Gu5qdSLcFMmIX2DlZn5vpcQBEPCEyMe+o0tBFSMeeUFjlOVrmF28hMwdsmwYc68dn7Bw9yjHlp7/nhRtrKRrjj4+/1Zybc/EeVBn9ccka+o2a4ubqRjQ==',
    ),
  ),
  'scope' => 
  array (
    0 => 'google.com',
  ),
  'UIInfo' => 
  array (
    'DisplayName' => 
    array (
      'en' => 'Google',
    ),
    'Description' => 
    array (
    ),
    'InformationURL' => 
    array (
    ),
    'PrivacyStatementURL' => 
    array (
    ),
  ),
);
$metadata['https://linkedin.cirrusidentity.com/gateway'] = array (
  'entityid' => 'https://linkedin.cirrusidentity.com/gateway',
  'contacts' => 
  array (
    0 => 
    array (
      'contactType' => 'technical',
      'surName' => 'Support',
      'emailAddress' => 
      array (
        0 => 'support@cirrusidentity.com',
      ),
    ),
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://linkedin.cirrusidentity.com/idp/SSOService/HTTP-Redirect',
    ),
  ),
  'SingleLogoutService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://linkedin.cirrusidentity.com/idp/SLOService/HTTP-Redirect',
    ),
  ),
  'ArtifactResolutionService' => 
  array (
  ),
  'keys' => 
  array (
    0 => 
    array (
      'encryption' => false,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIEDDCCAvQCCQD0+MENzbywvTANBgkqhkiG9w0BAQUFADCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxJDAiBgNVBAMTG2xpbmtlZGluLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wHhcNMTQwMTA5MTYzNjAwWhcNMzQwMTA4MTYzNjAwWjCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxJDAiBgNVBAMTG2xpbmtlZGluLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN57vHRlWrwssMNlPwVvSLYAop7nXC1XFLqr4Re3PaWL3yxN4UP/nFh62NUPb4qDfXIU5SYimPndBCWJybb4nHTXlMxLjIYZPmnDqUHAuGykjGKBwtDhWEMCxnqYkUiXGgzr8ALo43a14BgLzIhotRdJTVYduNdjrZlhlXzE43oisNcEFPG2CI4l0vba7ksdp00brDfdyCWQb0pClIzfEnpEnBJLPx86huRf4c9WwZ4M5Ql8U5YTOTY/544bIV0ml1sg3smJTORMflsQ3R+lwbej+NP4x5BGdckeh2NUlrIgpQMtHYweJMozMJgVsJyJbdfe9JYM2p2+bPGGjydYfrAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAIgng4gBy5aubphcca+1iQTw3auayVJCQjutx/5ogcyRzCgcP9ozLFA+z/iCZc8AqzYgdSsB3OPQ6Cvng7nuDLcCG74bWm2JNFxJtnapP5dEPV4W6kOTFppWDB3fkLlLWuSAx6VP820fLwaokboGnQ9dqVUjLEo+ByPNw4yQ1DAOUJ5aJYb9rf5bhbu+PDIx0hWQN39ySv8iKEtypSkBM2KKI9m1iLleKUxNcJ3dmszn5zk1Oc0/JTe1uXV68MyoC5v0va6E1RLQEVUjNfhq+VtRVMenHaxrespS9t7tkt8V4t9yYv5twCdvKXagfaM45xFst93Jbs0EIcXhXP2PsoE=',
    ),
    1 => 
    array (
      'encryption' => true,
      'signing' => false,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIEDDCCAvQCCQD0+MENzbywvTANBgkqhkiG9w0BAQUFADCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxJDAiBgNVBAMTG2xpbmtlZGluLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wHhcNMTQwMTA5MTYzNjAwWhcNMzQwMTA4MTYzNjAwWjCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxJDAiBgNVBAMTG2xpbmtlZGluLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDN57vHRlWrwssMNlPwVvSLYAop7nXC1XFLqr4Re3PaWL3yxN4UP/nFh62NUPb4qDfXIU5SYimPndBCWJybb4nHTXlMxLjIYZPmnDqUHAuGykjGKBwtDhWEMCxnqYkUiXGgzr8ALo43a14BgLzIhotRdJTVYduNdjrZlhlXzE43oisNcEFPG2CI4l0vba7ksdp00brDfdyCWQb0pClIzfEnpEnBJLPx86huRf4c9WwZ4M5Ql8U5YTOTY/544bIV0ml1sg3smJTORMflsQ3R+lwbej+NP4x5BGdckeh2NUlrIgpQMtHYweJMozMJgVsJyJbdfe9JYM2p2+bPGGjydYfrAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAIgng4gBy5aubphcca+1iQTw3auayVJCQjutx/5ogcyRzCgcP9ozLFA+z/iCZc8AqzYgdSsB3OPQ6Cvng7nuDLcCG74bWm2JNFxJtnapP5dEPV4W6kOTFppWDB3fkLlLWuSAx6VP820fLwaokboGnQ9dqVUjLEo+ByPNw4yQ1DAOUJ5aJYb9rf5bhbu+PDIx0hWQN39ySv8iKEtypSkBM2KKI9m1iLleKUxNcJ3dmszn5zk1Oc0/JTe1uXV68MyoC5v0va6E1RLQEVUjNfhq+VtRVMenHaxrespS9t7tkt8V4t9yYv5twCdvKXagfaM45xFst93Jbs0EIcXhXP2PsoE=',
    ),
  ),
  'scope' => 
  array (
    0 => 'linkedin.com',
  ),
  'UIInfo' => 
  array (
    'DisplayName' => 
    array (
      'en' => 'LinkedIn',
    ),
    'Description' => 
    array (
    ),
    'InformationURL' => 
    array (
    ),
    'PrivacyStatementURL' => 
    array (
    ),
  ),
);
$metadata['https://twitter.cirrusidentity.com/gateway'] = array (
  'entityid' => 'https://twitter.cirrusidentity.com/gateway',
  'contacts' => 
  array (
    0 => 
    array (
      'contactType' => 'technical',
      'surName' => 'Support',
      'emailAddress' => 
      array (
        0 => 'support@cirrusidentity.com',
      ),
    ),
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://twitter.cirrusidentity.com/idp/SSOService/HTTP-Redirect',
    ),
  ),
  'SingleLogoutService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://twitter.cirrusidentity.com/idp/SLOService/HTTP-Redirect',
    ),
  ),
  'ArtifactResolutionService' => 
  array (
  ),
  'keys' => 
  array (
    0 => 
    array (
      'encryption' => false,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIECjCCAvICCQDjQ/vpMtMRjDANBgkqhkiG9w0BAQUFADCBxjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxIzAhBgNVBAMTGnR3aXR0ZXIuY2lycnVzaWRlbnRpdHkuY29tMSkwJwYJKoZIhvcNAQkBFhpzdXBwb3J0QGNpcnJ1c2lkZW50aXR5LmNvbTAeFw0xNDAxMDkxNjM2MjdaFw0zNDAxMDgxNjM2MjdaMIHGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEQMA4GA1UEBxMHT2FrbGFuZDEeMBwGA1UEChMVQ2lycnVzIElkZW50aXR5LCBJbmMuMSAwHgYDVQQLExdDaXJydXMgSWRlbnRpdHkgR2F0ZXdheTEjMCEGA1UEAxMadHdpdHRlci5jaXJydXNpZGVudGl0eS5jb20xKTAnBgkqhkiG9w0BCQEWGnN1cHBvcnRAY2lycnVzaWRlbnRpdHkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz40JmsX02RXOVkh57YaSQNFsjGQc0/t5d8VDTFh8d9g86skjs6g7sl5ltxf37k0yC7g43kOMyq6IfAAX3oFWF2yEVv4Ft1B2VwhBKPrc3Z5vCdW1rKLGfYqGdQ5O958gdSWkkByk5741IDKnDOtmJXvkDpLJWIODRO0d6Vf1AGoJ6zAf4F+MRzddrSX9tXoyaAmNUydSirslZMT2N0olSDEGqMuEb6EGqzxRgfwdyXOJW8OwFFJ1LOLYD0jfpCx7MXriOgn9Oh5mx8Rgm29T1Vbe8JhCBfsEMgYlLYPol+XrUBQPG4qhyIL8AWBRygT0Og8SS9jrOOA7NTa+8+vOiQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCbwL6Z9YCXKedNeCdKppa2UzXMw7JYkqFNFuVIIYzRhskpOr1g2v9c+LBO+95UjxB7pR2Pjno5fpSChj60jzivMJJV+kHXbYmIqeUtKAx0oaeg8iglWQs1JzEsB6n1ED9EYS7Stj8wnMCvUgwy/YX7bC2OBCzMmAmbR0iivcRUjakz1GoX2K9sKK1EKBYRU/syKSag5u6f4cIYokxZVyDle2LwP4N2xGftO+LoJgM6ZZVmDwvlihy/fiWiDbWI9qzBKkZ+KSHduMjbmqxMeVPvhhiDr84Bt3J+RmRnURBXXZGlod1wZlrxL9tdnciAIFARN9enn6v1igeKQm4HS4qG',
    ),
    1 => 
    array (
      'encryption' => true,
      'signing' => false,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIECjCCAvICCQDjQ/vpMtMRjDANBgkqhkiG9w0BAQUFADCBxjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxIzAhBgNVBAMTGnR3aXR0ZXIuY2lycnVzaWRlbnRpdHkuY29tMSkwJwYJKoZIhvcNAQkBFhpzdXBwb3J0QGNpcnJ1c2lkZW50aXR5LmNvbTAeFw0xNDAxMDkxNjM2MjdaFw0zNDAxMDgxNjM2MjdaMIHGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEQMA4GA1UEBxMHT2FrbGFuZDEeMBwGA1UEChMVQ2lycnVzIElkZW50aXR5LCBJbmMuMSAwHgYDVQQLExdDaXJydXMgSWRlbnRpdHkgR2F0ZXdheTEjMCEGA1UEAxMadHdpdHRlci5jaXJydXNpZGVudGl0eS5jb20xKTAnBgkqhkiG9w0BCQEWGnN1cHBvcnRAY2lycnVzaWRlbnRpdHkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz40JmsX02RXOVkh57YaSQNFsjGQc0/t5d8VDTFh8d9g86skjs6g7sl5ltxf37k0yC7g43kOMyq6IfAAX3oFWF2yEVv4Ft1B2VwhBKPrc3Z5vCdW1rKLGfYqGdQ5O958gdSWkkByk5741IDKnDOtmJXvkDpLJWIODRO0d6Vf1AGoJ6zAf4F+MRzddrSX9tXoyaAmNUydSirslZMT2N0olSDEGqMuEb6EGqzxRgfwdyXOJW8OwFFJ1LOLYD0jfpCx7MXriOgn9Oh5mx8Rgm29T1Vbe8JhCBfsEMgYlLYPol+XrUBQPG4qhyIL8AWBRygT0Og8SS9jrOOA7NTa+8+vOiQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCbwL6Z9YCXKedNeCdKppa2UzXMw7JYkqFNFuVIIYzRhskpOr1g2v9c+LBO+95UjxB7pR2Pjno5fpSChj60jzivMJJV+kHXbYmIqeUtKAx0oaeg8iglWQs1JzEsB6n1ED9EYS7Stj8wnMCvUgwy/YX7bC2OBCzMmAmbR0iivcRUjakz1GoX2K9sKK1EKBYRU/syKSag5u6f4cIYokxZVyDle2LwP4N2xGftO+LoJgM6ZZVmDwvlihy/fiWiDbWI9qzBKkZ+KSHduMjbmqxMeVPvhhiDr84Bt3J+RmRnURBXXZGlod1wZlrxL9tdnciAIFARN9enn6v1igeKQm4HS4qG',
    ),
  ),
  'scope' => 
  array (
    0 => 'twitter.com',
  ),
  'UIInfo' => 
  array (
    'DisplayName' => 
    array (
      'en' => 'Twitter',
    ),
    'Description' => 
    array (
    ),
    'InformationURL' => 
    array (
    ),
    'PrivacyStatementURL' => 
    array (
    ),
  ),
);
$metadata['https://win-live.cirrusidentity.com/gateway'] = array (
  'entityid' => 'https://win-live.cirrusidentity.com/gateway',
  'contacts' => 
  array (
    0 => 
    array (
      'contactType' => 'technical',
      'surName' => 'Support',
      'emailAddress' => 
      array (
        0 => 'support@cirrusidentity.com',
      ),
    ),
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://win-live.cirrusidentity.com/idp/SSOService/HTTP-Redirect',
    ),
  ),
  'SingleLogoutService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://win-live.cirrusidentity.com/idp/SLOService/HTTP-Redirect',
    ),
  ),
  'ArtifactResolutionService' => 
  array (
  ),
  'keys' => 
  array (
    0 => 
    array (
      'encryption' => false,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIEDDCCAvQCCQCr/40l0m5fADANBgkqhkiG9w0BAQUFADCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxJDAiBgNVBAMTG3dpbi1saXZlLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wHhcNMTQwMTA5MTYzNjQ4WhcNMzQwMTA4MTYzNjQ4WjCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxJDAiBgNVBAMTG3dpbi1saXZlLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0v/M1fZRM9HDVEu0lzPNigIb8tDj8FWQeoUBRU4bpokj7QqTDkzhpTOEKQs7dhIFneXNOrWqrZOX10wAz/58lPnnGpmlSUOAKmksuqwpZXcBigSQu2kbNbZAJJVL1NV/hwXvwuRrLy5BYbVeVF3/2RcjdH9ulNU/BHxTIKLp8DnPXLoWcJjdM2kRE7ytCOqOReUKVAVlelFgdm5t5CDbSJWBUhoAkO9nM906Z3t2xYzaUcuhdB0RcC2xOt2MEP5eKMeuXuu9CKmeWdOdYVGolxD/M7RQeoB8xV4VmIO5kJZPHwUYVKTxlXNXxKEtsBsmGrwU6ag1eKIxPpVPySSiNAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAEfyiYfdWijVUX1e51yXFl9C1WJZQWNVpYJAXvtrYdQIcW/6urFLUtdGCx83+NSXgK17i6F5cLNABfg6uh95Op7bTpW3T61slrKxCiALkIfmBQyG9aJMBnDiCxCAQw5A6DPT0JPWtYbB3E6FqUkSQqqwDRNE8fyrEwFTi2UMKSDYIqKDh8Giq4jsowrr/2ti2+/BtEDAUCf1BLL+70v+04o2t4i/lHBNtCqMdAkrjU3oMfu1kyjMd7Q9mrueItRoaW5esuq+xVfKz+atUqHOv5JxRmW7vtgmRTTpzwSMcounkwAPMEUVrZOsMBBGSK/zDwWV9wN9Qqczs3mFlYGpwNk=',
    ),
    1 => 
    array (
      'encryption' => true,
      'signing' => false,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIEDDCCAvQCCQCr/40l0m5fADANBgkqhkiG9w0BAQUFADCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxJDAiBgNVBAMTG3dpbi1saXZlLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wHhcNMTQwMTA5MTYzNjQ4WhcNMzQwMTA4MTYzNjQ4WjCBxzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxJDAiBgNVBAMTG3dpbi1saXZlLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0v/M1fZRM9HDVEu0lzPNigIb8tDj8FWQeoUBRU4bpokj7QqTDkzhpTOEKQs7dhIFneXNOrWqrZOX10wAz/58lPnnGpmlSUOAKmksuqwpZXcBigSQu2kbNbZAJJVL1NV/hwXvwuRrLy5BYbVeVF3/2RcjdH9ulNU/BHxTIKLp8DnPXLoWcJjdM2kRE7ytCOqOReUKVAVlelFgdm5t5CDbSJWBUhoAkO9nM906Z3t2xYzaUcuhdB0RcC2xOt2MEP5eKMeuXuu9CKmeWdOdYVGolxD/M7RQeoB8xV4VmIO5kJZPHwUYVKTxlXNXxKEtsBsmGrwU6ag1eKIxPpVPySSiNAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAEfyiYfdWijVUX1e51yXFl9C1WJZQWNVpYJAXvtrYdQIcW/6urFLUtdGCx83+NSXgK17i6F5cLNABfg6uh95Op7bTpW3T61slrKxCiALkIfmBQyG9aJMBnDiCxCAQw5A6DPT0JPWtYbB3E6FqUkSQqqwDRNE8fyrEwFTi2UMKSDYIqKDh8Giq4jsowrr/2ti2+/BtEDAUCf1BLL+70v+04o2t4i/lHBNtCqMdAkrjU3oMfu1kyjMd7Q9mrueItRoaW5esuq+xVfKz+atUqHOv5JxRmW7vtgmRTTpzwSMcounkwAPMEUVrZOsMBBGSK/zDwWV9wN9Qqczs3mFlYGpwNk=',
    ),
  ),
  'scope' => 
  array (
    0 => 'windows-live.com',
  ),
  'UIInfo' => 
  array (
    'DisplayName' => 
    array (
      'en' => 'Windows Live (Hotmail)',
    ),
    'Description' => 
    array (
    ),
    'InformationURL' => 
    array (
    ),
    'PrivacyStatementURL' => 
    array (
    ),
  ),
);
$metadata['https://yahoo.cirrusidentity.com/gateway'] = array (
  'entityid' => 'https://yahoo.cirrusidentity.com/gateway',
  'contacts' => 
  array (
    0 => 
    array (
      'contactType' => 'technical',
      'surName' => 'Support',
      'emailAddress' => 
      array (
        0 => 'support@cirrusidentity.com',
      ),
    ),
  ),
  'metadata-set' => 'saml20-idp-remote',
  'SingleSignOnService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://yahoo.cirrusidentity.com/idp/SSOService/HTTP-Redirect',
    ),
  ),
  'SingleLogoutService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
      'Location' => 'https://yahoo.cirrusidentity.com/idp/SLOService/HTTP-Redirect',
    ),
  ),
  'ArtifactResolutionService' => 
  array (
  ),
  'keys' => 
  array (
    0 => 
    array (
      'encryption' => false,
      'signing' => true,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIEBjCCAu4CCQDYBM+u/oot0DANBgkqhkiG9w0BAQUFADCBxDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxITAfBgNVBAMTGHlhaG9vLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wHhcNMTQwMTA5MTYzNzM2WhcNMzQwMTA4MTYzNzM2WjCBxDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxITAfBgNVBAMTGHlhaG9vLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKNRrll35TvmX/n6ubzkzYU3zVYCtb57hIn4TRSILRXwluA7S17IukFmHNrggBFq4JYyZbSpZ3y6zminsWyyRevJk4qSg+fGo8qQUW43243Qh7zjdb42KJtGLdTL3kUlI5bmL11/FYXgyjkLvFOtcyPxLph+RlcCTu+nOHDzoIusEDq9ZWW+zKhdG14yWgXZahAzfQir7uFTHphvc0R6r8kEFf18/ySp/fYYMY9caNEJmJ98tY6SpUrqjFM6gcEivhdMWH9J8gY+rsc/1fzsZ8m61O7wx2YqulMrHcSiG54XPpWrgSvHOBD2rJplHUkpX/juqRkataHJXGFrhvHgW/AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBALDnrLfeeexWnualfKze+9EKEEAaJt972aBTYaEl2CZkELQpAOtmlvD1JKKk9LoF4KuCYFng/W3xDIQf9Upy2pQcXCEbiK9CsPdRHFqKhYY/nvQClPFLGpcQBpmztMjK3CzhJRWDedHeLM/YRvLUnEEVrLvfiJ2oMgt22YhwY+elbJJFzb/L6u0ecRICxfyYqLazEMMAbB4XKcyG6W7nsIV+vM0GLI0CvOSnt6P1em1oisy4lVoJHT2BKiPH801XKXrBySG7kyl+px318YcSSYOQsUXOhMS8vkGJqVQSuhzxYXIQehgy4AeLW6GUXN44KeKJ6iV05ebZKm41Wzoxk9I=',
    ),
    1 => 
    array (
      'encryption' => true,
      'signing' => false,
      'type' => 'X509Certificate',
      'X509Certificate' => 'MIIEBjCCAu4CCQDYBM+u/oot0DANBgkqhkiG9w0BAQUFADCBxDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxITAfBgNVBAMTGHlhaG9vLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wHhcNMTQwMTA5MTYzNzM2WhcNMzQwMTA4MTYzNzM2WjCBxDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEDAOBgNVBAcTB09ha2xhbmQxHjAcBgNVBAoTFUNpcnJ1cyBJZGVudGl0eSwgSW5jLjEgMB4GA1UECxMXQ2lycnVzIElkZW50aXR5IEdhdGV3YXkxITAfBgNVBAMTGHlhaG9vLmNpcnJ1c2lkZW50aXR5LmNvbTEpMCcGCSqGSIb3DQEJARYac3VwcG9ydEBjaXJydXNpZGVudGl0eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKNRrll35TvmX/n6ubzkzYU3zVYCtb57hIn4TRSILRXwluA7S17IukFmHNrggBFq4JYyZbSpZ3y6zminsWyyRevJk4qSg+fGo8qQUW43243Qh7zjdb42KJtGLdTL3kUlI5bmL11/FYXgyjkLvFOtcyPxLph+RlcCTu+nOHDzoIusEDq9ZWW+zKhdG14yWgXZahAzfQir7uFTHphvc0R6r8kEFf18/ySp/fYYMY9caNEJmJ98tY6SpUrqjFM6gcEivhdMWH9J8gY+rsc/1fzsZ8m61O7wx2YqulMrHcSiG54XPpWrgSvHOBD2rJplHUkpX/juqRkataHJXGFrhvHgW/AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBALDnrLfeeexWnualfKze+9EKEEAaJt972aBTYaEl2CZkELQpAOtmlvD1JKKk9LoF4KuCYFng/W3xDIQf9Upy2pQcXCEbiK9CsPdRHFqKhYY/nvQClPFLGpcQBpmztMjK3CzhJRWDedHeLM/YRvLUnEEVrLvfiJ2oMgt22YhwY+elbJJFzb/L6u0ecRICxfyYqLazEMMAbB4XKcyG6W7nsIV+vM0GLI0CvOSnt6P1em1oisy4lVoJHT2BKiPH801XKXrBySG7kyl+px318YcSSYOQsUXOhMS8vkGJqVQSuhzxYXIQehgy4AeLW6GUXN44KeKJ6iV05ebZKm41Wzoxk9I=',
    ),
  ),
  'scope' => 
  array (
    0 => 'yahoo.com',
  ),
  'UIInfo' => 
  array (
    'DisplayName' => 
    array (
      'en' => 'Yahoo!',
    ),
    'Description' => 
    array (
    ),
    'InformationURL' => 
    array (
    ),
    'PrivacyStatementURL' => 
    array (
    ),
  ),
);

Gateway | Social IdP Integration

Social Provider API Integrations for Your First Service Provider

For each social provider, you must set an API Key and secret for the first SP (note that AOL and Yahoo are exceptions as they use OpenID as opposed to OAuth or OpenID Connect and do not require that you set an API Key and Secret):

  1. You will need a developer account for each social provider you wish to integrate. Please be sure that you keep track of the credentials you use to administer the social provider integration. Some social providers allow you to add additional administrators. Make sure you do that so that someone else can manage the integration in the event you leave your organization or are out of the office when access is required.

  2. Log in to the Cirrus console and go to the MySPs tab at the top and choose the first SP to integrate with a social provider. 

  3. In the configuration page for the Service Provider, you'll see icons for the enabled social providers on the left (the set of enabled social providers are set in the "Gateway Service" configuration section).

  4. Click on a social provider and you'll see input boxes for API Key and secret. If the Service Provider has already been integrated with this social provider, those fields will contain values. If not, the scrolling window on the right contains step-by-step instructions for setting up the API Key and Secret for that social provider. Follow the steps and copy and paste the API Key and Secret from the Social Provider into the console fields.

  5. Be sure to grab the authorized redirect URI from the instructions and copy and paste that into the social provider developers API console. 

  6. Instructions for adding authorized redirect URIs for each provider are available in the adding authorized redirect URI article.


Adding additional Service Providers with same social provider API integrations

You may decide to use the same Social Identity Provider integration across multiple Service Providers in your organization. For a single service, you may have different dev, test, and production instances where you want to share the same API Key and Secret. Or, you may wish to have the same unique identifier for all Facebook users (Facebook and LinkedIn generate a unique identifier which is tied to a particular API integration, similar to an eduPersonTargetedID).

This article contains instructions for settings in the Cirrus Identity console that allow sharing an API Key and Secret with multiple Service Providers. 

For each social provider, you must set an API Key and secret for the first SP. See Social Provider API Integrations for Your First Service Provider

You can share this API Key and Secret across multiple Service Providers, but you must add a new authorized redirect URI for each Service Provider to the social providers API settings. 

Important note: Twitter does not support the addition of authorized redirect URIs for more than one Service Provider.

To add a new Service Provider using the same API Key and Secret:

  1. Be sure you know the credentials for the user account at the social provider that was used with the initial API integration. 

  2. Log into the Cirrus Identity console and navigate under the MySPs tab to the Service Provider that has the existing API Key and Secret.

  3. Copy and paste the API Key and Secret from the existing Service Provider to the configuration page for the new Service Provider.

Social IP.png

Then, still in the configuration page for the new Service Provider, on the right side of the screen, scroll down the API Setup Guide Window until you find the authorized redirect URI generate by the console for the new Service Provider.

Social IP 2.png

Copy the redirect URI for that provider. Then scroll back to the top of the API Setup Guide window and click the link to go to that provider's developer console.

Social IP 3.png

Adding Authorized Redirect URIs to social provider developer consoles

Now you'll need to scroll down the API Setup Guide in the Cirrus console for each social provider and copy the authorized redirect URI for the new Service Provider you are setting up, and then navigate to the place in the social provider developer console where you can paste that into the API settings.

Please refer to the article on setting redirect URIs for instructions on where to paste those links you copy from the Cirrus console.

Adding Authorized Redirect URLs to social provider API settings

If you are sharing an API Key and Secret with more than one Service Provider, you will need to add an Authorized redirect URI for each Service Provider that shares the API key and secret. See this article for details of why you may want to do this. This article contains instructions for adding the Authorized Redirect URIs for social providers where appropriate. 

Note: AOL and Yahoo use OpenID so you do not need to set an API Key and Secret or an authorized redirect URI.

Note: Twitter does not support more than one Authorized Redirect URL for an integration, so you cannot share a Twitter API Key and Secret with more than one Service Provider.

To add Authorized Redirect URIs for each social provider:

  1. Make sure you have the credentials to the social provider developer console handy as you will need to update the settings there.

  2. In the Cirrus Console, choose the Service Provider from the drop-down list under the MySPs tab.

  3. Choose the social provider icon from the left nav bar

  4. Go to the API Setup Guide window on the right

  5. Scroll down to the authorized redirect URI the console has generated for that Service Provider

  6. Copy the authorized redirect URI

  7. Scroll back to the top of the API setup guide and click the link to log into the developer console for that social provider

  8. Find the place where you can add authorized redirect URIs (see below for instructions), and paste in the authorized redirect URI generated by the Cirrus console.

Facebook

Once logged in to the Facebook developers console:

Choose the Service Provider that is already integrated (the one with the API Key and Secret you are going to share with the new application).

On the dashboard, choose "settings" from the left nav bar

Choose "advanced" from the middle panel

Adding Redirect URLs.png

Google

Once in the Google console, click "Enable APIs and Get Credentials Like Keys"

Choose the "Google + API"

Choose "Credentials" in the left nav bar

Choose the name of the integration in the middle panel

Paste the Authorized redirect URI you copied from the Cirrus console into the Google Cloud Platform console

Redirect URLs 2.png

Instagram

Log in to Instagram developers console

As part of Register a New Client provide the Valid redirect URIs or set it afterward by going to the Security tab of the client and adding one

Redirect URLs 3.png

LinkedIn

Log in to developer's console

Choose the application that is already integrated (the one with the API Key and Secret you are going to share with the new application).

Scroll down to field for adding redirect URIs

Redirect URLs 4.png

Twitter

Note for Twitter you can add only ONE redirect URI, so you cannot share the same API Key and Secret across multiple Service Providers when you integrate with Twitter  

Log in to developer's console

Choose settings from the top nav bar

Scroll down and paste the link into the "callback URL" box

Redirect URLs 5.png

Weibo

Log in to Open Weibo site

Select the application under My Applications

Under the Application menu select Advanced

Click edit in the OAuth2.0 authorization settings and enter the link as the Authorization callback page

Redirect URLs 6.png

WindowsLive

Log in to developer's console

Navigate to settings

Choose the API settings tab

Scroll down and enter the "redirect URLs"

REMINDER: AOL and Yahoo use OpenID so you do not need to set an API Key and Secret or an authorized re-direct URL

Managing Social Provider Integrations

Your organization will need to set up the API integrations with each social identity provider. Because people and organization units come and go, you may want to consider the following options when deciding how to set up your API integrations:

  1. Google, Facebook, and LinkedIn allow you to add more than one administrator for an application integration with their identities. 

  2. Instagram, Twitter, Weibo, and WindowsLive allow only one account to administer the API integration

  3. AOL and Yahoo are OpenID providers and you don't need to set an API Key and Secret

Instagram, Twitter, Weibo, and WindowsLive

Document the accounts you use to set up integrations with Instagram, Twitter, Weibo, and/or WindowsLive. You can send Cirrus Identity the account names you used (but not the credentials) and we'll keep track of them in case you forget in the future.

We highly recommend you establish multiple administrators. Below are instructions for setting more than one admin for Google. 

Remember that you can access the social provider API consoles by going to the Cirrus Console, choosing the social provider from the icons on the left, and then clicking the link on the right in the API integration instructions window.

Google

  • Log in to developers console

  • From the Google Cloud Platform Dashboard, select the menu button in the far left

  • From the menu, choose "setting"

Adding multiple administrators for your API Integration with social identity providers

Your organization will need to set up the API integrations with each social identity provider. Because people and organization units come and go, you may want to consider the following options when deciding how to set up your API integrations:

  1. Google, Facebook, and LinkedIn allow you to add more than one administrator for an application integration with their identities. 

  2. Twitter and WindowsLive allow only one account to administer the API integration

  3. AOL and Yahoo are OpenID providers and you don't need to set an API Key and Secret

Below are instructions for setting more than one admin for Google, Facebook, and LinkedIn. We highly recommend you establish multiple administrators.

If you are integrating with Twitter or Microsoft, be sure to document the accounts you used to set up the initial integrations.  You can send Cirrus Identity the account names you used and we'll keep track of them in case you forget in the future.

Remember that you can access the social provider API consoles by going to the Cirrus Console, choosing the social provider from the icons on the left, and then clicking the link on the right in the API integration instructions window.

Google

  • Log in to developers console

  • From the Google Cloud Platform Dashboard, select the menu button in the far left

  • From the menu, choose "Permissions" 

  • Then choose "Add Users"

Google Cloud Platform 2.png
Google Cloud Platform 3.png
Google Cloud Platform 4.png

Facebook

  • Log in to Facebook developers console

  • From the Facebook developers console, select the application for which you're adding admins

  • From the menu in the left nav bar, choose "Roles" 

  • Then choose "Add Administrators"

Facebook.png
Facebook 2.png

LinkedIn

  • Log in to LinkedIn developers console

  • From the LinkedIn developers console dashboard, select the application for which you're adding admins

  • From the menu on the left nav bar, choose "Roles" 

  • Then add developers to the input field (you will need to have a first level LinkedIn connection to the admins you add)

LinkedIn.png
LinkedIn 2.png

Social Provider API Rate Limits

Overview

Most of the social providers have some form of rate limits on APIs.

Provider API Rate Limit Information
Facebook ”...app can make 200 calls per hour per user in aggregate…” See https://developers.facebook.com/docs/graph-api/advanced/rate-limiting for more details.
Google “Your application is limited to the number of API calls it can make by a usage courtesy quota. To view the courtesy limit and to request additional quota for your application, in the Google Developers Console, ...” choose “IAM & Admin” in the Google Console and select “Quotas”. See https://developers.google.com/+/web/api/rest/?hl=en_US#quota for more details.
Instagram 5000/hr for live integrations. See https://www.instagram.com/developer/limits/ for more details.
LinkedIn “... make more than 500,000 daily calls to an API.. ” See Section 1.4.2 of Terms of Service https://developer.linkedin.com/legal/api-terms-of-use for more details.
Twitter A formula but generally 15 calls in 15 minutes per user token. See, https://dev.twitter.com/rest/public/rate-limiting for more details.
Weibo “...So the limit value is not fixed, different applications have different restrictions, depending on the
application of their own quality.” From http://open.weibo.com/wiki/%E6%8E%A5%E5%8F%A3%E8%AE%BF%E9%97%AE%E9%A2%91%E6%AC%A1%E6%9D%83%E9%99%90
using Google Translate, see for more details.
Microsoft Live No documentation found.
Yahoo! No documentation found.
AOL No documentation found.

Developer Account Setup – Weibo

Overview

This solution will provide the basics for creating a Weibo account that can be used to configure the API integration needed for Cirrus Identity Gateway.

NOTE: This solution is oriented for non-Chinese readers and will make use of Weibo English interfaces were possible and the Chrome Browser translate features in other areas.


Creating a basic Weibo Account

NOTE: The link below will direct you to a web page that most browsers will flag as insecure. At present, Cirrus Identity is not aware of a TLS protected version of the Weibo registration page. The potential exposure of the credential by creating an identity without TLS may factor into an organization's decision to accept Weibo as a social provider.

To create an initial Weibo account, open the English based interface available at the following link with the Chrome Browser:

http://weibo.com/signup/signup.php?lang=en-us

Initially the interface will suggest you sign up using a mobile phone number. Our experience suggests that an account based on an email address is easier to use (you will still need to register a phone number but that comes later). Change the interface by selecting the “Use Email” link.

Weibo.png

Once you select “Use Email” you should see the following:

Weibo 2.png

Once you enter the email address, password, and verification code, press “Sign Up Now”. If everything passes checks, you will be asked to verify the account with a mobile phone number.

Weibo 3.png

After verification, you will be asked to provide a unique nickname (this will be important for handling access to the API Integration during testing), date of birth, gender, and indicate a location Overseas (US). If you are not using the Chrome Browser, the following hints will help with translation.

Weibo 4.png

You will be asked again to confirm using mobile.

NOTE: If you run into an SMS interface that is not translated, “United States” in Chinese (Simplified) is 美国 and the international prefix should display at “001”.

You will next be asked from some interests (Weibo is a social media platform after all). You may either select the defaults or customize. Press “Enter” when complete.

Weibo 5.png

After selecting some interests, you should see your Weibo home page. While not especially helpful for the API configuration interface, you can change the default for your profile to English under the settings. Click the settings icon in the upper right.

Weibo 6.png

Then go to “Preferred Settings” (third from bottom) in the left menu and change the language.

Weibo 7.png

When done, press the “Save Button”.

Build out your developer profile

Before you can configure the Weibo API for Cirrus Identity Gateway, you will need to build out your developer information on the open.weibo.com site.

To log back into to Weibo, navigate http://us.weibo.com/gb and click on the “Login” button.

Weibo 8.png

Click on your nickname and you will be taken to your profile page.

Weibo 9.png

At the bottom of the profile page, there is a link to the API developer page (you can also go directly there as http://open.weibo.com and select a similar login button).

Weibo 10.png

Once on the Weibo developer site, click on your nickname in the upper right. Select the first option, which should take you to the developer profile page.

Weibo 11.png

Use the translate function in Google Chrome and fill out the “Basic Information” page. Completed basic information is required before you can setup the API and test it with the Cirrus Identity gateway. You do not have to fill out the “Authentication” initially. That will be required when moving the API into a fully production mode.

Weibo 12.png

Once you fill out the basic information, press the “Submit button at the bottom. A verification email will be sent to your account. The email will be in Chinese. Google Translate renders it as the following:

Weibo 13.png

After clicking on the verification email, your basic information should be confirmed. If you now click on the “My Applications” (the option right next to your profile picture) you will see the status of your profile.

Weibo 14.png

Once translated, you should see the basic information is “Perfect” and the email is “Verified”. It is the minimum needed to configure the API for testing.

Weibo 15.png

To deploy the API to production, you will also need to provide information that supports authentication. You can use a scanned image of your passport for this verification.

Weibo 16.png

Gateway | Attribute Mappings

Attribute Mappings

Facebook [3]

Attribute SAML/MACE Dir Attribute
first_name givenName
last_name sn
name cn
id@facebook.com [1] eduPersonPrincipalName
Attribute SAML/MACE Dir Attribute
given_name givenName
family_name sn
email mail
sub@google.com or email eduPersonPrincipalName
Attribute SAML/MACE Dir Attribute
username displayName
id@instagram.com eduPersonPrincipalName

LinkedIn [3]

Attribute SAML/MACE Dir Attribute
firstName givenName
lastName sn
id@linkedin.com [2] eduPersonPrincipalName

A LinkedIn ID is mixed case, alphanumeric and can also contain '-','_' and possibly '='.

Data Returned by LinkedIn

Twitter [3]

Attribute SAML/MACE Dir Attribute
name cn
screen_name displayName
id@twitter.com eduPersonPrincipalName
Attribute SAML/MACE Dir Attribute
name cn
screen_name displayName
id@weibo.com eduPersonPrincipalName

Microsoft

Attribute SAML/MACE Dir Attribute
first_name givenName
last_name sn
name cn
mail['account'] mail
id@live.com eduPersonPrincipalName
Attribute SAML/MACE Dir Attribute
http://axschema.org/namePerson displayName
http://axschema.org/contact/email mail
http://axschema.org/contact/email eduPersonPrincipalName

Data Returned by Yahoo!

  1. Facebook IDs are tied to the API key used for integration. If a consistent ID is desired, the same API key must be used for each integration.

  2. LinkedIn IDs are tied to the API key used for integration. If a consistent ID is desired, the same API key must be used for each integration.

  3. Facebook, LinkedIn, and Twitter can be configured to return the primary email address. This however can be changed by the user at any time and should not be considered a persistent attribute.

Attribute Mappings - Data Returned by Facebook

{
  'id': '10204549705122834',
  'first_name': 'Lucas',
  'gender': 'male',
  'last_name': 'Rockwell',
  'link': 'https://www.facebook.com/app_scoped_user_id/10204549705122834/',
  'locale': 'en_US',
  'name': 'Lucas Rockwell',
  'timezone': -4,
  'updated_time': '2014-04-02T01:08:50+0000',
  'verified': true
}

Attribute Mappings for Facebook


Attribute Mappings - Data Returned by Google

{
  'kind': 'plus#personOpenIdConnect',
  'gender': 'male',
  'sub': '107996035382810786476',
  'name': 'Lucas Rockwell',
  'given_name': 'Lucas',
  'family_name': 'Rockwell',
  'profile': 'https://plus.google.com/107996035382810786476',
  'picture': 'https://lh3.googleusercontent.com/-fKxsFsNgw9E/AAAAAAAAAAI/AAAAAAAAACg/gaP7sAlxyag/photo.jpg?sz=50',
  'email': 'lucasrockwell@gmail.com',
  'email_verified': 'true',
  'locale': 'en'
}

Attribute Mappings for Google

Attribute Mappings - Data Returned by LinkedIn

{
  'firstName': 'Lucas',
  'headline': 'CTO of Cirrus Identity',
  'id': 'c_A19ySwwr',
  'lastName': 'Rockwell',
  'pictureUrl': 'http://m.c.lnkd.licdn.com/mpr/mprx/0_r9mLMBhp6T3YtEa7tng9Mz1-X65lrEa7tcssMzKfRilTfaJfyrYdcvX3oeLmPSf_AzuRntGd2ikl',
}

Attribute Mappings for LinkedIn


Attribute Mappings - Data Returned by Twitter

{
  'id': 14760495,
  'id_str': '14760495',
  'name': 'Lucas Rockwell',
  'screen_name': 'lucasrockwell',
  'location': 'New York, NY',
  'description': 'Cirrus Identity',
  'url': 'http://t.co/15edBC2oLw'
}

Attribute Mappings for Twitter


Attribute Mappings - Data Returned by Windows Live (Hotmail)

{
  'id': 'fd1a7c8227963289',
  'name': 'Lucas Rockwell',
  'first_name': 'Lucas',
  'last_name': 'Rockwell',
  'link': 'https://profile.live.com/',
  'gender': NULL,
  'emails': {
    'preferred': 'lr@lucasrockwell.com',
    'account': 'lucasrockwell@hotmail.com',
    'personal': 'lr@lucasrockwell.com',
    'business': NULL,
  },
  'locale': 'en_US',
  'updated_time': '2014-07-23T13:57:15+0000'
}

Attribute Mappings for Windows Live (Hotmail)


Attribute Mappings - Data Returned by Yahoo!

{
  'openid': 'https://me.yahoo.com/lucasrockwell#036ef',
  'openid.server_url': 'https://open.login.yahooapis.com/openid/op/auth',
  'openid.axkeys': [
    'http://axschema.org/namePerson',
    'http://axschema.org/contact/email'
  ]
  'http://axschema.org/namePerson': 'Lucas Rockwell',
  'http://axschema.org/contact/email': 'lucasrockwell@yahoo.com'
}

Attribute Mappings for Yahoo!


Attribute Mappings - Data Returned by AOL

{
  'openid': 'http://openid.aol.com/lucasatcirrus',
  'openid.server_url': 'https://api.screenname.aol.com/auth/openidServer',
  'openid.sregkeys': [
    'email'
  ],
  'openid.sreg.email': 'lucasatcirrus@aol.com',
  'openid.axkeys': [
    'http://axschema.org/contact/email'
  ],
  'http://axschema.org/contact/email': 'lucasatcirrus@aol.com'
}