Documentation | Identity Provider Proxy



One of our biggest goals at Cirrus Identity is to enable cross-organizational collaboration. Multilateral identity federation is a powerful tool to achieve this goal, but many vendor products don’t fully support the technologies for multilateral federation. Additionally, use cases such as protocol translation or account linking often require a proxy component.

The Cirrus Identity Provider Proxy is a solution that addresses Service Provider limitations such as:

  • Only supporting one SAML identity provider
  • Only supporting CAS for authentication but not SAML
  • Not supporting the SAML discovery protocol
  • Not supporting metadata from InCommon or one of the other eduGAIN participating federations
  • Not supporting the attributes as asserted by identity provider(s)
  • Not being able to require multi-factor authentication (MFA) because it is not supported by some or all identity providers

The Proxy can also be used by an organization architecturally to act as a single access point for audiences to access a group of Service Providers. Examples are:

  • Applicants often need access to a subset of an organization’s services before they are fully admitted. For example, services to check application status, apply for scholarships, and pay fees can be deployed behind a Proxy for a uniform access experience.

  • Alumni also need access to services such as transcript requesting, engagement platforms, career services. A centralized Proxy can streamline access to these services and improve engagement. The uniform and consistent experience for the end user is especially desirable for this audience.

The Proxy is also part of the Cirrus family of solutions and is fully integrated with:

  • Cirrus Discovery to enable the easy configuration of a user interface to select the identity provider for log in
  • Cirrus Gateway to enable both social login and organization IdP authentication to service providers
  • Cirrus Account Linking to enable liking organizational data to external identities asserted by either social login or federation identity providers
  • Cirrus Invitation to enable coarse grained authorization control to services based on sponsors associated with the institution
  • Cirrus External Identity Provider to enable organizations to offer a separate guest account with associated password that reflects the organization’s brand but as a SaaS solution

Cirrus Identity doesn’t believe in re-inventing the wheel. The Proxy has at its foundation the well tested and widely adopted SimpleSAMLphp open source project (SSP). Cirrus Identity is both an active participant, and contributor to the SSP community. We believe basing our solution on SSP allows us to both actively participate in the global academic identity management community, and focus on delivering effective solutions to our customers.