Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		 Previous revision
en:discovery [2021/03/04 09:33] – created Silke Meyeren:discovery [2024/02/13 09:23] (current) – [WAYFless URLs] Wolfgang Pempe
Line 10: Line 10:
   * An SP is configured to redirect to a central public Discovery Service, e.g. one that is run by a federation operator.   * An SP is configured to redirect to a central public Discovery Service, e.g. one that is run by a federation operator.
   * An SP runs an Embedded Discovery Service itself.   * An SP runs an Embedded Discovery Service itself.
-  * An SP is configured to redirect to one static Identity Provider (no Discovery Service in the proper sense).+  * An SP is configured to redirect to one static Identity Provider (no Discovery Service in the proper sense, a.k.a "WAYFless URL").
  
 ===== DFN's central Discovery Services ===== ===== DFN's central Discovery Services =====
  
-We run public Discovery Services that can be used by SP operators. These Discovery Services fetch information about available IdPs from the current metadata for DFN-AAI (Advanced), DFN-AAI-Basic, DFN-AAI-Test, and eduGAIN. +We run public Discovery Services that can be used by SP operators. These Discovery Services fetch information about available IdPs from the current metadata for DFN-AAI, DFN-AAI-Test, and eduGAIN. 
  
   * For Shibboleth SPs, the integration is documented on the page about [[en:production#discovery_service|Production]].   * For Shibboleth SPs, the integration is documented on the page about [[en:production#discovery_service|Production]].
Line 31: Line 31:
 ===== WAYFless URLs ===== ===== WAYFless URLs =====
  
-Die harte Verdrahtung des SP mit einem bestimmten ist streng genommen kein IdP-Feature, sie fällt aber trotzdem häufig in den Zuständigkeitsbereich von IdP-Admin*s. Bei WAYFless URLs wird vom SP aus direkt ein Authentication Request bei einem bestimmten IdP ausgelöst.+With WAYFless URLs, a Service Provider triggers an Authentication Request with a specific Identity Provider. In this case, only users of that one home organization can access the service.
  
-Die Konfiguration von WAYFless URLs ist häufig SP-spezifischOb WAYFless URLs für einen Anbieter möglich sind und wie diese URLs aussehen, hängt davon ab, wie der Anbieter den föderierten Loginprozess implementiert hat. Uns sind folgende Best Practice-Empfehlungen bekannt: +The configuration of WAYFless URLs often is SP-specificIt depends on the implementation of login on the SP if WAYFless URLs can be used and what they look likeHere are some best practice links:
-  * [[https://www.ukfederation.org.uk/library/uploads/Documents/WAYFlessGuidance.pdf|Best Practice: WAYFless Access to Resources - Configuring on a Service and Using in a Portal]]Dort wird das Thema sehr ausführlich behandelt. +
-  * [[https://spaces.internet2.edu/display/inclibrary/Best+Practices|Best Practice-Empfehlungen der US-Föderation InCommon]]+
  
-Einige Anbieter haben dokumentiert, wie WAYFless URLs für ihre Plattform erzeugt werden können: +  * [[https://www.ukfederation.org.uk/library/uploads/Documents/WAYFlessGuidance.pdf|Best PracticeWAYFless Access to Resources Configuring on Service and Using in a Portal]] (very detailed) 
-  * [[https://www.conf.dfn.de/beschreibung-des-dienstes/aai-freischaltung/|DFNconf und DFN-Webconf]] +  * [[https://spaces.internet2.edu/display/inclibrary/Best+Practices|Best Practice recommendations of the US federation InCommon]] (Best Practice #2)
-  * [[https://www.elsevier.com/solutions/sciencedirect/support/federated-authentication-through-saml|Elsevier für ScienceDirect]] +
-  * [[https://springeronlineservice.freshdesk.com/support/solutions/articles/6000085989-what-is-a-wayfless-url-|Springer Online]] +
-  * [[https://www.ukfederation.org.uk/content/Documents/AvailableServices|Liste von Anbietern in der UK-Föderation]], anwendbar auch für die DFN-AAI da die URL-Konfiguration föderationsunabhängig ist+
  
-==== Konfiguration am Shibboleth SP ==== +Some SP operators have documented the generation of WAYFless URLs for their platform: 
-Bei einem Shibboleth SP hat ein WAYFless URL in der Regel die Form:+  * [[https://www.conf.dfn.de/anleitungen-und-dokumentation/dfnconf-portal/aai-freischaltung|DFNconf and DFN-Webconf]] (in German) 
 +  * [[https://service.elsevier.com/app/answers/detail/a_id/28537/supporthub/elsevieraccess/|Elsevier]] 
 +  * [[https://idp.nature.com/help/sso#wayfless|Springer Nature]] 
 +  * [[https://www.ukfederation.org.uk/content/Documents/AvailableServices|List of Service Providers in the UK federation]], also applicable for DFN-AAI as URL configuration does not depend on the federation
  
-  https://<FQDN_SP_HOST>/Shibboleth.sso/Login?entityID=<ENTITYID_IDP>&target=<RESOURCE-LOCATION> +==== Configuration on a Shibboleth SP ==== 
- +On a Shibboleth SP a WAYFless URL has the format. ''<RESOURCE-LOCATION>'' is the protected URL.<code bash>https://<FQDN_SP_HOST>/Shibboleth.sso/Login?entityID=<ENTITYID_IDP>&target=<RESOURCE-LOCATION></code
-wobei ''<RESOURCE-LOCATION>'' der vom SP geschützte URL ist. +     
- +==== Configuration on a SimpleSAMLphp SP ==== 
-==== Konfiguration in SimpleSAMLphp ==== +With SimpleSAMLphp a WAYFless URL looks like this by default. ''<AUTH_ID>'' is the name resp. the ID of the authentication source (type''saml:SP''), in general ''default-sp''.<code bash>https://<FQDN_SP_HOST>/simplesaml/module.php/core/as_login.php?AuthId=<AUTH_ID>&ReturnTo=<RESOURCE-LOCATION>&saml:idp=<ENTITYID_IDP></code>
-Bei simpleSAMLphp sieht ein solcher URL standardmäßig wie folgt aus: +
- +
-  https://<FQDN_SP_HOST>/simplesaml/module.php/core/as_login.php?AuthId=<AUTH_ID>&ReturnTo=<RESOURCE-LOCATION>&saml:idp=<ENTITYID_IDP> +
- +
-wobei ''<AUTH_ID>'' der Name bzw. die ID der betreffenden Authentication Source (Typ: ''saml:SP'') ist, üblicherweise ''default-sp''.+
  
 {{tag>wayf discovery eds}} {{tag>wayf discovery eds}}
  • Last modified: 3 years ago