Standard Configuration

In most scenarios your SP will send users to the Cirrus Proxy to authenticate. The Cirrus Proxy will show a discovery interface to users. The user will select an IdP and the proxy will send the user to that IdP to authenticate.

The IdP will respond to the proxy, the proxy will perform any configured business logic and then respond to your SP.


The most common way to configure a Shibboleth SP with a proxy can be found here.


The discovery UI and IdPs shown by the Cirrus Proxy can be configured in the console.


Bypass Proxy Discovery

In some situations your SP may already know the upstream IdP that the proxy should use and you want the user to bypass the discovery normally performed by the proxy. This can be achieved by sending a carefully constructed request to the proxy that contains the following information:

  1. The SP Entity ID
  2. Relay State for the SP. This is often the path on the SP that the user should end up on after authenticating
  3. The upstream IdP EntityID


URL encode these parameters and use them as query parameters to the SingleSignOnService HTTP-Redirect binding URL for the proxy. You'll have a URL of the format $bindingUrl?spentityid=$SPEntityID&RelayState=$RelayState&IDPList=$IdpEntityID


Sending a user to the below example will tell a Cirrus proxy to use Google as the upstream IdP and return the user to a Cirrus test SP that will display some attributes.

https://support.proxy.cirrusidentity.com/saml2/idp/SSOService.php?spentityid=https%3A%2F%2Fstandard.monitor.cirrusidentity.com&RelayState=%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dmonitor-standard&IDPList=https%3A%2F%2Fgoogle.cirrusidentity.com%2Fgateway


Perform Discovery before AuthNRequest

In the standard flow the SP sends the user/browser to the proxy first (using a SAML AuthNRequest) and then discovery is performed. In some case you may want to perform discovery first and send the user to the proxy second AND bypass discovery on the proxy. This can be achieved by constructing two urls with the necessary parameters: The discovery return url and discovery url


Discovery Return Url

The discovery return url is similar to the 'Bypass Proxy Discovery' url. It initiates the login after discovery has been performed. It will get used when constructing the discovery url. You'll need the following information:

  1. The SP Entity ID
  2. Relay State for the SP. This is often the path on the SP that the user should end up on after authenticating


URL encode these parameters and use them as query parameters to the SingleSignOnService HTTP-Redirect binding URL for the proxy. You'll have a URL of the format $bindingUrl?spentityid=$SPEntityID&RelayState=$RelayState  

Example: https://support.proxy.cirrusidentity.com/saml2/idp/SSOService.php?spentityid=https%3A%2F%2Fstandard.monitor.cirrusidentity.com&RelayState=%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Dmonitor-standard


Discovery Url

The discovery url will load Cirrus's Discovery interface. Users can be sent here to pick an IdP and initiate a login. You'll need to know the following information:

  1. The Proxy's SP entityId
  2. The return URL from above


URL encode these parameters and use them as query parameters to the discovery url. You'll have a URL for the format https://apps.cirrusidentity.com/console/ds/index?returnIDParam=IDPList&entityID=$proxySpEntityId&return=$returnUrlEncoded


Sending a user (or iframing) this example discovery url will allow you to initiate discovery from your SP and have the response processed by the Proxy.  https://apps.cirrusidentity.com/console/ds/index?returnIDParam=IDPList&entityID=https%3A%2F%2Fsupport.proxy.cirrusidentity.com%2Fsp&return=https%3A%2F%2Fsupport.proxy.cirrusidentity.com%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3Dhttps%253A%252F%252Fstandard.monitor.cirrusidentity.com%26RelayState%3D%252Fmodule.php%252Fcore%252Fauthenticate.php%253Fas%253Dmonitor-standard


Configure my own Discovery Service for Proxy

The Proxy uses the Cirrus Discovery Service to perform discovery. If you have a Discovery Service that is compatible with OASIS IdP Discovery Service Protocol and Profile and want to use that with the Cirrus Proxy then contact support@cirrusidentity.com to have this enabled for you proxy.


Standard Flow with Custom Discovery for SP

In the standard flow the proxy displays the same discovery interface for all SPs making use of the proxy. If you want to customize the discovery interface shown by the proxy based on the SP using the proxy then contact support@cirrusidentity.com to discuss your options.