A growing number of colleges and universities are looking for cloud-hosted solutions to improve efficiency and reduce infrastructure/support costs while empowering researchers and enabling secure research access.
As higher education budgets tighten and the frequency and sophistication of cybersecurity threats increase, institutions are looking to maximize their investment in identity and access management (IAM) solutions. At the same, the National Institutes of Health (NIH) and other research-based organizations are evolving and tightening their security requirements.Footnote1 To reduce security risks, more easily meet new standards, and help lower IT infrastructure and personnel costs, many higher education institutions have invested in single sign-on (SSO) solutions like Microsoft Azure AD combined with tools like the Cirrus Identity Bridge to address specific higher education SSO challenges.
"Pomona College was seeking managed services to eliminate two on-prem services: Shibboleth and CAS. We heard about the Cirrus Bridge and found it was the perfect solution to simplify our IAM environment and leverage Azure AD for SSO," says Andrew Crawford, director of information systems at Pomona College.
"Cirrus is guiding us through the configuration of the SAML Bridge for federation and CAS Bridge within the Azure AD portal. It's really straightforward, and Cirrus has been responsive to our questions," reports Chimwemwe Jere, system administrator at Pomona College.
In higher education, SSO leverages multilateral federation, an authentication framework that facilitates trusted access for institutions that are members in federations like InCommon in the United States and eduGAIN worldwide. Federated access makes it easier for institutions to collaborate and share research and other academic resources safely and securely.Footnote2 To support multilateral federation and SSO, many higher education institutions use open-source projects such as Shibboleth, SimpleSAMLphp, or Apereo CAS.
"Cirrus has been a service provider to EDUCAUSE for over two years now helping us evolve to a more reliable and user-friendly SSO solution. We quickly integrated the Cirrus Federation Adapter SAML Bridge with Azure AD and are successfully using other Cirrus products. The Cirrus team is highly responsive, assisting us with multiple SSO application integrations in a timely way. We are delighted with our partnership," says Mairéad Martin, vice president and CIO at EDUCAUSE.
Increasingly, colleges and universities are looking for cloud-hosted solutions to improve efficiency and reduce infrastructure, development, and support costs. Many campuses have significant existing integration with Microsoft Active Directory and are positioning Azure AD as a central component to their future IAM strategy. While Microsoft Azure AD does not natively support multilateral federation access or CAS authentication, the addition of the Cirrus SAML Bridge and/or CAS Bridge fills these gaps to meet IAM needs and reduce security risks.
"For most educational institutions, a one-size-fits-all solution is not viable," says Dedra Chamberlin, CEO and founder of Cirrus Identity. "We provide a lot of tools that help fill gaps in higher ed IAM architectures, such as supporting multilateral federation participation. Federations like InCommon and other eduGAIN members provide a trust framework that allows an application to integrate with hundreds of institutional identity providers at once, without a painstaking and time-consuming process to set up each institution independently."
The Cirrus SAML Bridge is a federation adapter that makes it easy for users to access services that are developed for higher education institutions and are made available through their national federation.
"The American University of Sharjah (AUS) was modernizing its IAM architecture to better leverage Azure AD for single sign-on. Moving to the Cirrus SAML Bridge allowed us to simplify our environment and provide the multilateral federation required by InCommon," says Rabih Tayyem, senior systems architect at the American University of Sharjah. "Through InCommon, AUS provides students and researchers access to many essential services: iModules alumni management software, EZproxy library services, ORCID for connecting a researcher's identity with professional information, and others. Cirrus is the place to go to fill the gaps in other identity products for higher education use cases!"
The Cirrus Identity Bridge complies with the Research and Education Federations (REFEDS) specifications for the Research and Scholarship Entity Category and the REFEDS Multifactor Authentication Context, both upcoming requirements for login to National Institutes of Health (NIH) research applications. Cirrus currently supports the InCommon Baseline v2 Expectations and will support the new REFEDS Assurance Framework v1 as finalized.
The Cirrus CAS Bridge translates SAML to CAS so that CAS-enabled applications can authenticate against Azure AD. Configuration is simple and minimal and handled in the Azure AD portal. Because users see the Azure AD login screen that they are accustomed to using, no additional training is required.
After the Cirrus SAML Bridge was implemented for faculty to access Compiliatio, a plagiarism-identification software provided through the Canadian Access Federation (CAF), Cégep de Trois-Rivières administrators were then able to quickly configure MFA and new conditional access in AzureAD. This was used to enforce a requirement that all users must be in Canada for access to login. The requirement was easily implemented since all service providers are behind the Cirrus Bridge and managed through AzureAD. "We didn't have the time to implement Shibboleth and were happy not to. Good possibilities without the hassle. We can react to new security requirements: easy, fast, and compliant," says Billy Angers, chargé de projet TI at Cégep de Trois-Rivières.
The Microsoft Azure AD Application Gallery helps customers easily discover and deploy identity solutions from trusted partners. The Cirrus SAML Bridge and Cirrus CAS Bridge will soon be available in the Microsoft Azure AD App Gallery. To learn more about how these tools can streamline access for your institution with Azure AD, request a demo from Cirrus Identity.
Notes
- InCommon, "Updates on NIH Identity Requirements and Plans," IAM Online, April 15, 2021. Jump back to footnote 1 in the text.
- Cirrus Learning Center Team, "Multilateral Federations and Azure AD," The Cirrus Identity Blog (blog), Cirrus Identity (website), November 20, 2020; 7 Things You Should Know About Federated Identity, research report, (Boulder, CO: EDUCAUSE Research, January 2019). Jump back to footnote 2 in the text.
Corey Lee is a Zero Trust Architect at Microsoft.
© 2021 Microsoft.