Use VALIDATE AUTHENTICATION to check that you can log in to Cirro using a specified authentication provider.





  • name - user defined name for the authentication provider.


Argument Description MANDATORY SECRET
LDAP_SERVER LDAP server address true false
SEARCH_BASE Search base used to find relevant users true false
SEARCH_FILTER An LDAP expression which matches users. The default expression is:
%USERNAME% will be replaced with the name of the user being search for.
false false
AUTH_DN Search user’s distinguished name (DN) true false
AUTH_PASSWORD Search user’s password true true

azure options

Argument Description MANDATORY SECRET
AZURE_AD_AUTHORITY The URL used to authenticate the Azure tenant. This defaults to but for multi-tenant sites the word ‘common’ must be replaced with the site’s tenant id. true false
AZURE_AD_CLIENT_ID The id of the Azure Application associated with Azure Cirro users. true false
AZURE_AD_RESOURCE Azure resource ID. The Microsoft Graph resource id used to specify users. This defaults to 00000003-0000-0000-c000-000000000000 and usually does not need to be changed. true false
AZURE_AD_MODE Authentication mode - password only (password) or email-based MFA (mfa) true false
AZURE_AD_USERNAME Azure master user false false
AZURE_AD_PASSWORD Azure master user password false true
AZURE_AD_EMAIL_DOMAIN When sending MFA emails, optionally override the user’s email domain with this domain. false false
AZURE_AD_REDIRECT_SERVICE GET-to-POST redirect service URL. An optional redirect service that converts HTTP GETs into HTTP POSTs. The default value is for a Cirro customer service at false false

duo options

Argument Description MANDATORY SECRET
INTEGRATION_KEY The integration key for your DUO host true true
API_HOSTNAME DUO API hostname true true
SECRET_KEY DUO secret key true true

okta options

Argument Description MANDATORY SECRET  
URL Okta service URL - true false  
API_KEY The API key for your Okta site. true true  
APP_ID An optional Okta application ID. If set, then the Okta authentication rules for that application will be followed. If not set, then the default site rules will be followed. false false false


ORG_ALIAS PingID property - org_alias true false  
TOKEN PingID property - token true true  
USE_BASE64_KEY PingID property - use_base64_key true true  
URL PingID property - idp_url (if not false false  


Argument Description MANDATORY SECRET
DOMAIN SaasPass Domain false false
API_KEY SaasPass API key true false
API_PASSWORD SaasPass API password true true

Unloq options

Argument Description MANDATORY SECRET
EMAIL_DOMAIN Your unloq email domain true false
SECRET_KEY Your unloq secret key value true true

MFA Options

These options apply to all Multifactor Authentication providers, duo, pingid, saaspass and unloq.

Argument Description
AUTHENTICATION_TIMEOUT For MFA providers, the time in seconds between logging in and acknowledging the MFA request
CACHE_AUTHENTICATION_TIMEOUT For MFA providers, the time in seconds that subsequent logins on the same device must occur within before another MFA request is made

Directory Service Options

These options apply only to Directory Service providers azure, ldap and okta.

Argument Description
USERNAME_PATTERN A regular expression applied to usernames. Usernames that match this expression will be authenticated by this provider. This can be used for providers in an Authentication Chain to prevent unnecessary authentication checks.
SYNCHRONIZE_USERS For Directory providers, synchronize all users in the remote directory and make them ‘virtual’ Cirro users. These users will still be authenticated remotely, but can have roles and priviliges applied directly within Cirro. Currently, only the LDAP provider supports synchronization.