University of Massachusetts, Dartmouth

UMass Dartmouth had the same problem most institutions hit mid-Entra ID migration: the modern infrastructure was in place, but legacy systems were still running alongside it. Shibboleth was handling InCommon federation. CAS was serving PeopleSoft and other campus applications. Neither was going away on its own.

At the same time, the team was rethinking how applicants accessed campus systems. The previous approach provisioned campus credentials at acceptance, before students had confirmed enrollment. That meant stale accounts, inbox clutter, and credentials for people who never showed up. They wanted to change that.

The goals were clear: consolidate on Entra ID as the primary IdP, retire legacy infrastructure cleanly, and build an applicant access path that used Slate credentials instead of provisioning campus accounts too early.

Cirrus Bridge connected UMass Dartmouth's Entra ID to both their SAML federation applications and their CAS-dependent systems. Rather than reconfiguring every application individually, the DNS Add-On made the cutover practical: a single DNS change routed existing Shibboleth and CAS endpoints to Bridge at go-live. Applications required no changes. InCommon registration stayed intact.

For applicants, Cirrus Proxy and the Slate Connector gave incoming students access to StarRez, CampusLogic, and other campus systems using the Slate credentials they already had. No new accounts. No campus provisioning until enrollment was confirmed. And because Slate does not natively support MFA for applicants, Cirrus added One-Time Code MFA, delivering a verification code to the applicant's email address already in Slate. No authenticator app, no help desk calls.

The transition was structured in two tracks running in parallel. The first migrated legacy CAS and SAML service providers to Bridge: mapping Entra ID attributes, registering service providers with Cirrus, and mapping the CAS DNS entry to Cirrus at cutover. The second built the Slate path: aligning Slate CAS attributes with Entra ID attributes, configuring the Proxy and Slate Connector, and coordinating with application vendors to update SSO configurations where needed.

Holger Dippel, CIO at UMass Dartmouth, described the overall experience as straightforward. The main lesson his team would pass on: attribute mapping is where the work is. Slate and Entra ID attributes need to align, and that alignment has to carry through to the service providers. Engaging application stakeholders early, before cutover, made the difference. And testing before the DNS switch gave the team confidence to commit.

• Legacy Shibboleth and CAS infrastructure retired. Entra ID is the institutional IdP, with Slate serving as the IdP for applicants pre-enrollment

• Applicants access housing, financial aid, and orientation tools with Slate credentials, no campus account provisioning required until enrollment is confirmed

• MFA extended to applicants via one-time email code, no authenticator app enrollment needed

• No significant IT support issues related to the Slate Bridge implementation