External Identity Provider | Planning Steps

The Cirrus External Identity Provider is often a solution of last resort (sometimes called an “identity provider of last resort”). It is helpful to consider a few factors before deployment:

  1. Who is the target audience?

    1. Do individuals have a valid email address?

  2. What is/are the Service Providers that will be accessed?

    1. Are the Service Providers registered with InCommon or one of the other eduGAIN federations -- if not, how will Cirrus Identity get the metadata?

  3. How will password reset be handled?

    1. Sending a reset token to the registered email address is the default configuration.

    2. Configuring reset questions is another option

  4. How will this identity provider be branded?

    1. What will it be called?

Next you will want to look at Cirrus External Identity Provider | Getting Started.

External Identity Provider | Getting Started

Customers subscribing to Cirrus External Identity Provider will have an instance provisioned during customer on-boarding.

Customers will often subscribe to one or more additional Cirrus Identity modules to support desired implementations. In addition to provisioning the External Identity Provider, some initial setup for Cirrus Gateway, Cirrus Identity Provider Proxy, Cirrus Account Linking, and/or Cirrus Invitation will also take place.

The following are the steps needed to get started using Cirrus External Identity Provider:

  1. Customers should take a moment and think about their External IdP deployment. Cirrus Identity can offer generally accepted practices, customer stories, and professional services to help. Reviewing the questions covered by the Cirrus External Identity Provider | Planning Steps is a good first step:

    1. Who is the target audience?

    2. What is/are the Service Providers that will be accessed?

    3. How will password reset be handled?

    4. How will this identity provider be branded?

  2. Depending on the customer, Cirrus will provision other modules based on the customer’s subscription (or trial/PoC agreement). Modules such as Cirrus Gateway, Cirrus Identity Provider Proxy, and Cirrus Invitation each have associated setup. See the “Getting Started” for each module as appropriate:

    1. Cirrus Gateway Getting Started

    2. Cirrus Account Linking Getting Started

    3. Cirrus Invitation Getting Started

    4. Cirrus Identity Provider Proxy Getting Started

  3. If there is a service provider (SP) that will use the External IdP, but the metadata for the SP is not published to federation metadata (for example InCommon or eduGAIN), the metadata needs to be sent to Cirrus Identity Support (support@cirrusidentity.com) for configuration. Additionally, if there is an SP with special attribute requirements, regardless where the metadata is published, that also needs to be communicated to Cirrus Identity Support.

  4. A member of the organization needs to have access to the Cirrus Console and to be granted the “Organization Administrator” (org admin) role for your organization. (See Cirrus Console Getting Started)

  5. Before the External IdP can be completely setup, an “Organization Administrator” must complete the setup of the customer organization’s user interface.

  6. Cirrus Identity will provide a URL so that customers can download the metadata for the External IdP. This will need to be added to any service providers (other than Cirrus Identity Provider Proxies) that need to leverage the External IdP.

Once these steps are complete, you are ready to add the External IdP to the configurations of other Cirrus Modules.

External Identity Provider | Using Cirrus External Identity Provider

User Self Service

The Cirrus External Identity Provider uses a user self service interface to allow users to register and reset their passwords. 

Visit the registration interface for you instance (https://tenantId.idp.cirrusidentity.com/cirrusid/) to see the options available.

Self service options include:

  • Account Registration

  • Account Activation

  • Forgot UserId

  • Forgot Password

  • Change Password

  • Change Security Questions


In the Cirrus console the External IdP will appear under your custom federation under Federated Identity Providers.The default name for the IdP is "OrganizationName Guest IdP". You can add the IdP to an SPs discovery interface by clicking the check box next to the name, and clicking Save.

Service Provider Configuration

Your service provider will need to trust the External IdP. This is achieved by consuming metadata for the External IdP.

First, you'll need to the public key used to sign the metadata.

# Retrieve the certificate
$ /usr/bin/curl --silent
https://md.cirrusidentity.com/metadata/metadata-signing.crt >
# Validate its fingerprint
$ openssl x509 -noout -in ~/Downloads/metadata-signing.crt  -fingerprint -sha1

    SHA1 Fingerprint=56:C4:D7:77:8D:9F:C8:03:40:E4:B4:9F:77:67:57:A1:F4:52:91:1D


And then configure your SP to consume the metadata.

<!-- Non-social IdP's managed by Cirrus -->
<!-- Replace _NAME_ with the organization name provided by Cirrus -->
<MetadataProvider type="XML" url="https://md.cirrusidentity.com/metadata/_NAME_/cirrus-metadata-signed.xml"
backingFilePath="cirrus-metadata-signed.xml" reloadInterval="14400">
            <MetadataFilter type="Signature" certificate="/path/to/metadata-signing.crt"/>