Identity Provider Proxy | Getting Started
Customers subscribing to Cirrus Identity Provider Proxy will have a UAT Proxy instance provisioned during customer on-boarding. Cirrus staff will also perform some initial configuration and, if appropriate, register the instance as an SP in the InCommon trust federation.
Customers will often subscribe to one or more additional Cirrus Identity modules to support desired implementations. In addition to provisioning the Proxy instance, we’ll also work with you to conduct some initial setup for Cirrus Gateway, Cirrus Account Linking, and/or Cirrus Invitation.
The following steps are needed to get started using Cirrus Identity Provider Proxy:
Customers should take a moment and think about their Proxy Deployment. Cirrus Identity can offer generally accepted practices, customer stories, and professional services to help. Reviewing the questions covered by the Cirrus Identity Provider Proxy | Planning Steps is a good first step:
Who is the target audience?
What is/are the Service Providers that will be accessed?
Do the Service Providers have an authorization process to control access that is separate from authenticating to the service?
How will the end user “discover” which Identity Provider to use with the Proxy -- which is another way of saying what discovery configuration will the Proxy have?
As mentioned above, Cirrus Identity generally registers the SP side of the Proxy with the InCommon trust federation as part of the provisioning process. This allows identity providers to access metadata. Identity Providers will need to adjust attribute release to the Proxy for any attributes needed.
Depending on the customer, Cirrus will provision other modules based on the customer’s subscription (or trial/PoC agreement). Modules such as Cirrus Gateway, Cirrus External Identity Provider, and Cirrus Invitation each have associated setup. See the “Getting Started” for each module as appropriate:
If the Customer has subscribed to the Cirrus Account Linking solution, the customer will need to coordinate with Cirrus Identity on the details of the linking identifier to be used. Cirrus Identity will need these details to finish the configuration of the Proxy (See Cirrus Account Liking Getting Started).
If there is a Service Provider (SP) that will use the Proxy, but the metadata for the SP is not published to federation metadata (for example InCommon or eduGAIN), the metadata needs to be sent to Cirrus Identity Support (email@example.com) for configuration (we support more automated metadata integration methods as well). Additionally, if there is an SP with special attribute requirements, regardless where the metadata is published, that also needs to be communicated to Cirrus Identity Support.
If there is an Identity Provider that is needed by the Proxy audience, but the metadata for the IdP is not published to federation metadata (for example InCommon or eduGAIN), the metadata needs to be sent to Cirrus Identity Support (firstname.lastname@example.org) for configuration.
A member of the organization needs to have access to the Cirrus Console and to be granted the “Organization Administrator” (org admin) role for your organization. (See Cirrus Console Getting Started)
If the customer will be using the Cirrus Discovery Service (recommended at the start), an admin will configure the Cirrus Discovery Service for the Service Provider side of the Proxy using the Cirrus Console. The Discovery Service will be the interface users are redirected to when they attempt to log in to the Service Provider. Customers will configure all of the Identity Providers from which a user may choose (See Cirrus Discovery Getting Started).
Change the configuration for all Service Providers (SP) that will use the Proxy to trust the Identity Provider (IdP) side of the Proxy. Cirrus Identity will provide the path to the IdP metadata but it will generally be at a URL of the form https://NAME.proxy.cirrusidentity.com/saml2/idp/metadata.php (See Cirrus Proxy Documentation for further details).
If the customer configured the Cirrus Discovery Service (see Step #8), change the configuration for all SPs that will use the Proxy to use the Cirrus Discovery Service - the discovery URL is "https://apps.cirrusidentity.com/console/ds/index" and details for different Service Provider platforms are available here).
Once these steps are complete, you are ready to use Proxy with your service provider.