The Cirrus SAML Proxy makes it easier to perform SAML integrations. It will help in scenarios such as:
- Service Providers that only support a single Identity Provider and you want to support serveral
- Identity Providers that do not support federation
- Performing additional authentication and authorization checks.
Multi Factor Authentication
A service provider may want to require multi factor authentication from identity providers in its federation but run into an issue where not all identity providers are able to require multi factor for their users or assert that the user authenticated with multi factor. The Cirrus SAML proxy can prompt users for a second factor to ensure that all users, regardless of identity provider, have performed multi factor authentication to reach the service provider.
In an identity federation each Identity Provider has certain scopes that it can use when asserting user attributes to avoid name collisions. For example if two Identity Providers had a user called John they would need a way to distinguish which john is from which IdP. Using scoping the IdPs could assert the identifier as john@orgA.com and john@orgB.com, where orgA and orgB are the domain names for the organizations associated with each IdP.
The Cirrus SAML Proxy supports scopes in several fashions
Exact Scope Checking
The proxy will check that the scope asserted from an Identity Provider matches the allowed scope for the Identity Provider. If an IdP asserts a scope that it is not allowed to the proxy will remove that assertions.
This is enabled by default for these attributes: eduPersonPrincipalName, eduPersonScopedAffilitation
Ends with Scope Checking
In some scenarios a service provider uses email address as its internal identifier. The proxy can perform scope checking on the email address. In some organizations user's email addresses may contain subdomains. For example Example Edu may have a scope of example.edu but email address domains like org.example.edu. If it enabled this feature performs scope checking by ensuring the scope domain ends with the appropriate domain.
Ignore Scope Checking
If your intend to proxy an Identity Provider that does not have a fixed scope you may opt to disable scope checking for that Identity Provider. For example Google provides email for lots of enterprises. If you use the Cirrus Gateway as an IdP AND use email address for eduPersonPrincipalName then the Google gateway may assert a scope for any business that uses Google for email. In such a scenario you'll want to disable scope checking for a specific IdP, and continue checking other IdPs.
This is enabled by default for Cirrus Gateway IdPs that provide email service for multiple domains.
Your use case may require you to re-write the scope of proxied attributes. This feature will have proxy change scoped attributes in one of two ways:
- Change scope: A scoped value of firstname.lastname@example.org will be changed to email@example.com. This is useful if your SAML profile has specified the allowable values for the descoped attribute.
- Change scope and descoped value: A scoped value of firstname.lastname@example.org will be changed to email@example.com. This is useful when you want to preserve the old scope in some fashion during the rewrite.
The new scope is configurable. This feature is disable by default. If enabled it can be applied to specific attributes, or to specific scopes or to a combination of the two.