Using with Proxy
If you are using Cirrus's SAML proxy then you configure the SP to direct all logins to the proxy.
<SSO entityID="https://TENANT.proxy.cirrusidentity.com/idp"> SAML2 SAML1 </SSO>
Using with Gateway and Cirrus discovery
If you are using your SP directly with the gateway and not through a proxy then you may use Cirrus's discovery service with your SP
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://apps.cirrusidentity.com/console/ds/index"> SAML2 SAML1 </SSO>
Shibboleth SP performs scope checking for eduPersonPrincipalName and other scoped attributes. If you are using a Cirrus proxy then scope checking is performed by the proxy and the proxy will pass through scoped attributes from the upstream IdP. If your Shibboleth SP also performs scope checking it may remove these scoped attributes that were asserted from the upstream IdP. You can adjust your shibboleth attribute-policy.xml configuration as shown below.
<afp:AttributeRule attributeID="eppn"> <!-- Disabling default scope check because proxy may assert eppns from multiple upstream IdPs --> <!-- <afp:PermitValueRuleReference ref="ScopingRules"/> --> <afp:PermitValueRule xsi:type="ANY"/> </afp:AttributeRule>