Cirrus will generate customer specific SAML Metadata for certain services. 


Metadata

Cirrus will publish your metadata bundle at https://md.cirrusidentity.com/metadata/_NAME_/cirrus-metadata-signed.xml where _NAME_ is a customer specific identifier. Cirrus will provide the value to use for _NAME_


The metadata bundle can contains an EntitiesDescriptor element with multiple EntityDescriptor child elements. Not all SAML software can consume a bundle of metadata. If you need individual files, please contact Cirrus support.


Signature Verification

Customer metadata is signed by Cirrus. If your SAML software supports signature verification then you can use the public key to verify the download.


# Retrieve the certificate
$ /usr/bin/curl --silent \
https://md.cirrusidentity.com/metadata/metadata-signing.crt \
> /tmp/metadata-signing.crt
# Validate the certificates fingerprint
$ openssl x509 -noout -in /tmp/metadata-signing.crt  -fingerprint -sha1

    SHA1 Fingerprint=56:C4:D7:77:8D:9F:C8:03:40:E4:B4:9F:77:67:57:A1:F4:52:91:1D



Software Configuration

Shibboleth SP


Add an additional MetadataProvider to your shibboleth2.xml

<!-- Non-social IdP's managed by Cirrus -->
<!-- Replace _NAME_ with the organization name provided by Cirrus, and _YOUR_PATH_ with the path to the Cirrus metadata-signing public key -->
<MetadataProvider type="XML" url="https://md.cirrusidentity.com/metadata/_NAME_/cirrus-metadata-signed.xml"
backingFilePath="cirrus-metadata-signed.xml" reloadInterval="14400">
            <MetadataFilter type="Signature" certificate="/_YOUR_PATH_/metadata-signing.crt"/>
</MetadataProvider>