Objective

Cirrus Identity provides an online Support Center which allows our customers to open and track support tickets and to access protected content in our Knowledge Base. Customers can log in to the Support Center using their local Identity Providers via SAML. 

The Cirrus Identity Support Center requires two attributes to be released from an organization's identity provider:

1. The user's enterprise email address
2. The user's eduPersonPrincipleName or EPPN

These attributes are needed so that customer staff can authenticate and successfully use the service. 

Scope Checking of enterprise email address

The email addresses used to access the support center should be your enterprise email address and either match or end with your organization's domain. Organization domain is determined from the scope attribute for your Identity Provider in InCommon's metadata. For example the email "ned.nimbus@athena-institute.net" will work for our Athena Institute which has the "athena-institute.net" scope/domain. An email with a sub-domain such as "ned.nimbus@demo.athena-institute.net" will also be accepted.

If Ned's account was configured with the email address "ned.nimbus@athena-institute.fake", the authentication would fail the scope checking.

Guidance

The email and EPPN need to be released to the Cirrus Identity Support Center listed in the InCommon metadata with the entity id https://support.proxy.cirrusidentity.com/sp

The attributes are passed as SAML assertion values during the authentication exchange between an organization's Identity Provider and Cirrus Identity's Support Center. The attribute specifics are as follows:

The configuration of attribute release will depend on your institution's identity provider. 

• For Shibboleth IdP - https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterConfiguration

You may need to consult your campus identity management team to set up this integration.

History

Approved - 2017-03-14

Updated - 2017-04-12