Inhaltsverzeichnis

Discovery

Discovery?

A Discovery Service is the software that lets users choose their home organization. It redirects them to their identity Provider.

A Discovery Service is also known as “WAYF” - “Where are you from?”. It establishes the connection between a Service Provider and an Identity Provider via a browser-based selection of the home organization.

There are three ways Discovery can be realized:

DFN's central Discovery Services

We run public Discovery Services that can be used by SP operators. These Discovery Services fetch information about available IdPs from the current metadata for DFN-AAI, DFN-AAI-Test, and eduGAIN.

Embedded Discovery Service

An Embedded Discovery Service (EDS) is run locally on the SP. It also relies on federation metadata to get an up-to-date list of the available IdPs.

In many cases, an EDS is more user-friendly than redirection to a central Discovery Service:

Shibboleth SP comes with a Discovery Service: Shibboleth EDS. The configuration is described on the Shibboleth SP page (in German). For background information please consult the Shibboleth Wiki.

WAYFless URLs

With WAYFless URLs, a Service Provider triggers an Authentication Request with a specific Identity Provider. In this case, only users of that one home organization can access the service.

The configuration of WAYFless URLs often is SP-specific. It depends on the implementation of login on the SP if WAYFless URLs can be used and what they look like. Here are some best practice links:

Some SP operators have documented the generation of WAYFless URLs for their platform:

Configuration on a Shibboleth SP

On a Shibboleth SP a WAYFless URL has the format. <RESOURCE-LOCATION> is the protected URL.

https://<FQDN_SP_HOST>/Shibboleth.sso/Login?entityID=<ENTITYID_IDP>&target=<RESOURCE-LOCATION>

Configuration on a SimpleSAMLphp SP

With SimpleSAMLphp a WAYFless URL looks like this by default. <AUTH_ID> is the name resp. the ID of the authentication source (type: saml:SP), in general default-sp.

https://<FQDN_SP_HOST>/simplesaml/module.php/core/as_login.php?AuthId=<AUTH_ID>&ReturnTo=<RESOURCE-LOCATION>&saml:idp=<ENTITYID_IDP>