Identity Provider Proxy | Planning Steps
Proxy solutions like the Cirrus Identity Provider Proxy sit in the middle of things. A bit of planning before getting started will go a long way to reducing initial confusion. Consider the following questions:
Who is the target audience?
What IdP(s) will the audience use?
Does the audience vary based on the Service Provider being accessed?
What is/are the Service Providers that will be accessed?
Do the Service Providers meet Cirrus Identity Provider Proxy requirements (support either SAML v2 or CAS)?
Are the Service Providers registered with InCommon or one of the other eduGAIN federations? -- If not, you will need to share the metadata with Cirrus Identity (there are a few options for accomplishing this)?
Do the Service Providers have an authorization process to control access that is separate from authenticating to the service?
Will the Proxy be required to provide access control?
How will the end user “discover” which Identity Provider to use with the Proxy -- which is another way of saying what discovery configuration will the Proxy have?
By default, the Proxy is configured to use the Cirrus Discovery Service and is the quickest to start. Both the Cirrus Proxy and the Cirrus Discovery Service are integrated with InCommon and eduGAIN metadata, and we can add your custom metadata to further lower the initial configuration effort.
If the audience is being directed from another application such as a portal (and the service provider is reasonably well-behaved), discovery can be bypassed with a carefully constructing a URL. The URL can be used for links in portals or other web content to direct the audience to the service. See “Discovery Configuration with Cirrus Proxy | Bypass Proxy Discovery” for more details.
The Proxy can also be configured to use any discovery service that is compatible with the OASIS IdP Discovery Service Protocol and Profile if an organization desires. See “Discovery Configuration with Cirrus Proxy | Configure my own Discovery Service for Proxy” for more details.
Next you will want to look at Cirrus Identity Provider Proxy | Getting Started.