Gateway | Getting Started

The Cirrus Gateway enables any Service Provider (SP) that supports SAML v2.0 to leverage social login as a method for authentication. It is also quick to setup if the SP supports the use of a SAML based discovery service. If you have an SP that doesn’t quite meet these requirements, consider using the Gateway with the Cirrus Identity Provider Proxy as an integrated authentication solution (the Proxy supports additional protocols).

NOTE: If you are using a Proxy, your target SP will trust the Proxy as its identity provider (IdP), and the “SP” in the instructions below will be for the Proxy (see Cirrus Identity Provider Proxy getting started). The Cirrus Proxy is automatically integrated with the Gateway for social login and you will not need to perform Steps #4 and #7 below.

The following are the steps needed to get started using the Cirrus Gateway:

  1. Customers should take a moment and think about their Gateway Deployment. Cirrus Identity can offer generally accepted practices, customer stories, and professional services to help. Reviewing how to select social providers covered by the Cirrus Gateway | Planning Steps is a good place to start.

  2. A member of the organization needs to have access to the Cirrus Console and to be granted the “Organization Administrator” (org admin) role for your organization (see Cirrus Console getting started).

  3. From the Cirrus Console, an org admin will enable social providers for the organization -- this should be any social providers an organization wants to allow.

  4. Cirrus Identity needs the metadata for any service providers (SP) that you want to use with the Gateway. If the SP is registered with one of the eduGAIN federations (InCommon, UK Fed, CAF, or others) we already have it. If not, you can send us the metadata and we will load it (if you anticipate having a high volume of SPs to add, you can set up a metadata aggregate that Cirrus Identity can consume regularly).

  5. From the Cirrus Console, an org admin will create the SP in the Console so it can be configured (not for Proxy integration). At this point, the org admin may designate an SP admin to complete the setup.

  6. From the Cirrus Console, an admin will enable the desired social providers specific to the SP (this may be a subset of social providers allowed at the org level). The admin will need a developer account for each social provider to complete the API integration. For each enabled social provider, the admin will follow the instructions available in the Console integrate the Social Provider (see Initial Social Provider API Integrations).

  7. From the Cirrus Console, an admin will configure the Cirrus Discovery Service -- to enable login via social identity providers, the organization’s enterprise identity provider (see Cirrus Discovery getting started), as well as other federated partners and custom IdPs. Note that customers can run their own Discovery Service if they prefer. See #8 below for links to the Cirrus metadata for the social identity provider endpoints.

  8. For SPs integrating directly with the gateway (not for Proxy integration), you will need to change the configuration for the SP to consume Cirrus Gateway metadata - the metadata is available at (further details on Gateway metadata).

  9. Change the configuration for the SP to use the Cirrus Discovery Service - the discovery URL is "" (further details on configuring different service providers).

Once these steps are complete, you are ready to use the Gateway.