====== WAYF/DS for Service Providers ======

<WRAP tip>
If the service is **in an internal federation** (eg //CESNET-int//) that only contains a single IdP, **there is no point in using WAYF**! In that case **you need to set up authentication against that one specific IdP** and avoid using WAYF.

The script that checks the ''return'' parameter does not download the metadata of the internal federations, so the check ends with an error!
</WRAP>

See also a page with [[:en:tech:wayf|general information]] about eduID.cz WAYF/DS.

===== Identity Providers Available for Login =====

Without any configuration, WAYF shows all the IdPs available in the federation the SP belongs to. It is possible to define a list of IdPs to be shown making use of one of the two parameters -- either //filter// attribute or //efilter// attribute.

==== filter ====

Using //filter// attribute leads to __a direct filter__. In this case the list of IdPs to show is defined as a value in //filter// parameter.

Example of a direct filter:

<code>
filter=eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogZmFsc2V9
</code>

==== efilter ====

Using //efilter// attribute leads to __an external filter__. In this case the list of IdPs to show is defined in a file at a URL linked in //efilter// parameter.

Example of an external filter:

<code>
efilter=www.example.com/filter
</code>

Content of ''<nowiki>www.example.com/filter</nowiki>'':

<code>
eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogZmFsc2V9
</code>

//efilter// approach is a solution for HTTP servers limiting HTTP GET parameters such as Suhosin extension for PHP language allowing only 255 characters at a maximum.

==== Filter generator ====

A filter generator is available at https://ds.eduid.cz/filter.php.

=== All IdPs in a federation ===

In order for WAYF to display all the IdPs in a particular federation, just select the appropriate checkbox next to the corresponding federation name. It is possible to choose more federations at once.

=== Filtering by entity categories ===

List of IdPs can be filtered by entity categories. Move entity category from gray box into green one or red one. Green box is positive filter. IdPs in list must have all entity categories from green box and mustn't have any entity category from red box.

=== Individual IdPs ===

You can create whitelist or blacklist of IdPs per federation. It is even possible to have this whitelist or blacklist for onlz some selected federations.

===== Setup =====

WAYF supports sites where login is required as well as sites where login is optional (= lazy sessions).

<box 100% round red>
The following examples require either Shibboleth SP 2.5+ or SimpleSAMLphp 1.14+.
</box>

==== Login Required ====

In the following configuration example, a user is redirected to WAYF prior displaying the accessed web page in order to select home organization and login.

Alter ''<SSO>'' element in ''shibboleth2.xml'' configuration file accordingly.

<code xml>
<SSO
    discoveryProtocol="SAMLDS" 
    discoveryURL="https://ds.eduid.cz/wayf.php?filter=eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==&amp;lang=en">
    SAML2 SAML1
</SSO>
</code>

==== Login Optional (Lazy Sessions) ====

First, the ''<SSO>'' element in ''shibboleth2.xml'' configuration file has to be set as in previous section.

Second, the following ''<script>'' element has to be inserted in to the page ''<head>'' element where //lazy sessions// are desired.

<code html>
<head>
    <!-- another HTML elements -->
    <script type="text/javascript" src="https://ds.eduid.cz/ds.js"></script>
    <!-- another HTML elements -->
</head>
</code>

The session initiator URL is set to ''/Shibboleth.sso/Login'' by default, so the login link in a web page might look like the following code:

<code html>
    <a href="/Shibboleth.sso/Login" onclick="startOverlay(event)">Log in</a>
</code>

For SimpleSAMLphp, WAYF configuration is set in ''authsources.php'' configuration file.

Example of configuration file ''authsources.php'':
<code>
'default-sp' => array(
    'saml:SP',
    'entityID' => 'https://sp.example.com/simplesaml/',
    'idp' => NULL,
    'discoURL' => 'https://ds.eduid.cz/wayf.php',
    'privatekey' => 'example.key'
),
</code>

And the login link in the web page might look like the following.

<code>
    <a href="/simplesaml/module.php/core/authenticate.php" onclick="startOverlay(event)">Log in</a>
</code>


===== Return parameter check =====

<WRAP info>
**DO NOT USE WAYF FOR INTERNAL FEDERATIONS WITH ONE IDP!**

For internal federations (e.g. CESNET-int), metadata for checking the ''return'' parameter is not processed, so the check always ends with an error.
</WRAP>

For security reasons, WAYF checks the value of the return parameter. It is the URL to which the user's browser is redirected after selecting IdP. The parameter value must match the metadata value for that SP. If different, the WAYF displays an error message and does not allow the user to continue logging on.