Description
A multi-tenant, cloud hosted SAML IdP. The current solution runs on simpleSAMLphp, though that may change over time. The "bridge" can translate OAuth2, OIDC, or CAS to SAML. Ideal for campuses/institutions running GoogleApps or CAS who need a SAML IdP and would prefer not to deploy and maintain one locally.
Fact Finder
Dedra Chamberlin, Cirrus Identity
Example Deployments
- Cirrus Identity is a GoogleApps business which has a SAML IdP registered in InCommon. We use the Bridge ourselves on a daily basis for access to our SPs which are registered in the InCommon federation
- We have conducted a PoC at a Bay Area university to integrate their local CAS and GoogleApps with Service Now in the cloud using our test Cirrus Bridge for authentication. We are currently seeking permission to release more details about this project.
Support for the Recommended Technical Basics for IdPs, including the ability to consume metadata
The Cirrus Bridge supports all but item 4 of the “Endpoints in IdP Metadata” section.
Support for Attribute Release
The Cirrus Bridge integrates with a campus IdMS (CAS, GoogleApps, or local LDAP) to manage attribute release.
Support for Entity Attributes/categories (e.g., R&S)
Cirrus Identity does not own the data being released by the campus. Assuming the campus approves the release of R&S attributes and works with Cirrus on one of the attribute release approaches noted above, there is no technical impediment to the release of R&S attributes.
Support for Multiple Authentication Contexts for Multi-Factor Authentication and Assurance
The Cirrus Bridge will support multiple authentication contexts and can be configured on a per-SP basis, i.e., one SP may require multi factor authentication, while another may not.
Support for ECP (Enhanced Client or Proxy)
The Cirrus Bridge currently does not support ECP.
Support for User Consent
This feature is not currently implemented, but on the Cirrus roadmap. We hope to either implement an attribute release manager or leverage an existing tool with our products.
Expertise Required
- One-time allocation of campus IT staff resource to assist with integrating data with the cloud-hosted Cirrus solution, most likely with expertise in the local attribute store and web SSO solutions.
- Our recent campus PoC took about 5 hours of local staff time for the first integration (ServiceNow), and about 45 minutes for the second (Google Apps).
Resources Required
This solution is cloud-hosted, so minimal local resource is required. Beyond the one-time integration work, local staff may need to assist from time-to-time with trouble-shooting.
Upkeep and Feeding Required
Minimal (see above) unless core local services are changed and additional integration work needs to be completed.
Applicable Environments
- Any institution that wishes to benefit from SAML-enabled applications (particularly cloud-hosted) but would prefer not to run a SAML-IdP locally
- Particularly well-suited to institutions which already host a credential store and log-in solution, such as CAS and/or Google Apps institutions.
Pros / Benefits
Designed to be a quick, cost-effective, low-maintenance solution for institutions who need a SAML IdP and would prefer not to incur the cost of standing up an IdP and it’s ongoing maintenance.
Cons / Risks
- No endpoint in IdP metadata support as noted above
- No ECP support
- Doesn't yet support user consent for attribute release (though campus can limit which attributes are released to the Bridge)