External Identity Provider | Getting Started

External Identity Provider | Using Cirrus External Identity Provider

User Self Service

The Cirrus External Identity Provider uses a user self service interface to allow users to register and reset their passwords. 

Visit the registration interface for you instance (https://tenantId.idp.cirrusidentity.com/cirrusid/) to see the options available.

Self service options include:

  • Account Registration

  • Account Activation

  • Forgot UserId

  • Forgot Password

  • Change Password

  • Change Security Questions

Discovery

In the Cirrus console the External IdP will appear under your custom federation under Federated Identity Providers.The default name for the IdP is "OrganizationName Guest IdP". You can add the IdP to an SPs discovery interface by clicking the check box next to the name, and clicking Save.

Service Provider Configuration

Your service provider will need to trust the External IdP. This is achieved by consuming metadata for the External IdP.

First, you'll need to the public key used to sign the metadata.

# Retrieve the certificate
$ /usr/bin/curl --silent
https://md.cirrusidentity.com/metadata/metadata-signing.crt >
~/Downloads/metadata-signing.crt
# Validate its fingerprint
$ openssl x509 -noout -in ~/Downloads/metadata-signing.crt  -fingerprint -sha1

    SHA1 Fingerprint=56:C4:D7:77:8D:9F:C8:03:40:E4:B4:9F:77:67:57:A1:F4:52:91:1D

 

And then configure your SP to consume the metadata.

<!-- Non-social IdP's managed by Cirrus -->
<!-- Replace _NAME_ with the organization name provided by Cirrus -->
<MetadataProvider type="XML" url="https://md.cirrusidentity.com/metadata/_NAME_/cirrus-metadata-signed.xml"
backingFilePath="cirrus-metadata-signed.xml" reloadInterval="14400">
            <MetadataFilter type="Signature" certificate="/path/to/metadata-signing.crt"/>
</MetadataProvider>