Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revisionBoth sides next revision
en:tech:wayf-sp [2016/11/09 10:14] – [Filter generator] jop@cesnet.czen:tech:wayf-sp [2016/11/09 10:32] jop@cesnet.cz
Line 1: Line 1:
-====== eduID.cz WAYF/DS for Service Providers ====== +~~REDIRECT>en:tech:wayf:sp~~
- +
-There is also a page with [[:en:tech:wayf|general information]] about WAYF/DS. +
- +
-===== Defining Identity Providers available for login ===== +
- +
-Without any configuration, WAYF shows all the IdPs available in the federation the SP belongs to. It is possible to define a list of IdPs to be shown making use of one of two parameters -- either //filter// attribute or //efilter// attribute. +
- +
-==== filter ==== +
- +
-Using //filter// attribute leads to __a direct filter__. In this case the list of IdPs to show is defined as a value in //filter// parameter. +
- +
-Example of a direct filter: +
- +
-<code> +
-filter=eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogZmFsc2V9 +
-</code> +
- +
-==== efilter ==== +
- +
-Using //efilter// attribute leads to __an external filter__. In this case the list of IdPs to show is defined in a file at a URL linked in //efilter// parameter. +
- +
-Example of an external filter: +
- +
-<code> +
-efilter=www.example.com/filter +
-</code> +
- +
-Content of ''<nowiki>www.example.com/filter</nowiki>'': +
- +
-<code> +
-eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogZmFsc2V9 +
-</code> +
- +
-//efilter// approach is a solution for HTTP servers limiting HTTP GET parameters such as Suhosin extension for PHP language allowing only 255 characters at a maximum. +
- +
-==== Filter generator ==== +
- +
-A filter generator is available at https://ds.eduid.cz/filter.php. +
- +
-=== IdPs from federations === +
- +
-The "Feeds" field  is used for filtering groups of IdPs in base of federations. This setup can be overwrited by seting list of individual IdPs. +
- +
-=== Individual IdPs === +
- +
-For better granularity you can limit to particular IdPs. If there is any IdP from that list checked, it has priority over filtering of group IdPs. +
- +
-=== Access for users out of federations === +
- +
-You can use "Hostel IdP" identity provider. In that case check option "Use Hostel IdP". Your service provider must be configured to use this service provider. If you want to allow Hostel IdP accont creation from WAYF, check option "Allow Hostel registration"+
- +
-== Examples == +
- +
-Filter for using Hostel IdP without possibility to create Hostel IdP account +
-<code> +
-filter=eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogZmFsc2V9 +
-</code> +
- +
-Filter for using Hostel IdP wit possibility to create Hostel IdP account +
-<code> +
-filter=eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogdHJ1ZX0= +
-</code> +
- +
-===== Logging in setup ===== +
- +
-Wayf supports both sites where logging in is required and sites where loging in is optional. +
- +
-==== When logging in is required ==== +
- +
-This guide is for the the Shibboleth SP. +
- +
-Web page has to covered by mod_shib directive ShibRequire. In file ''shibboleth2.xml'' replace in tag ''<SessionInititor type="SAMLDS"...>'' value of attribute ''URL'' with reference to the DS service: +
- +
-<code xml> +
-<SessionInitiator type="Chaining" Location="/DS" isDefault="false" id="DS"> +
-    <SessionInitiator type="SAML2" template="bindingTemplate.html"/> +
-    <SessionInitiator type="Shib1"/> +
-    <SessionInitiator type="SAMLDS" URL="https://ds.eduid.cz/wayf.php"/> +
-</SessionInitiator> +
-</code> +
- +
-If you want to use IdP filtering, write generated filter as a parameter of URL session initiator: +
- +
-<code xml> +
-<SessionInitiator type="Chaining" Location="/DS" isDefault="false" id="DS"> +
-    <SessionInitiator type="SAML2" template="bindingTemplate.html"/> +
-    <SessionInitiator type="Shib1"/> +
-<SessionInitiator type="SAMLDS" URL="https://ds.eduid.cz/wayf.php?filter=eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==&amp;lang=en"/> +
-</SessionInitiator> +
-</code> +
- +
-Or simplified setup of newer SPs: +
-<code xml> +
-<SSO discoveryProtocol="SAMLDS"  +
-    discoveryURL="https://ds.eduid.cz/wayf.php?filter=eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==&amp;lang=en"> +
-    SAML2 SAML1 +
-</SSO> +
- +
-</code> +
- +
-That's all. While accessing web page, user is redirected to eduID.cz Discovery Service. +
- +
-==== Logging in on demand (lazy session) ==== +
- +
-Session initiator in file ''shibboleth2.xml'' set exactly as in required logging in. Insert the following javascript file into page's header: +
- +
-<code html> +
-<head> +
- ... +
- <script type="text/javascript" src="https://ds.eduid.cz/ds.js"></script> +
- ... +
-</head> +
-</code> +
- +
-In Shibboleth to version 2.4 (included) is URL of the session initiatoru set in attribute ''Location'' in element ''<SessionInitiator>'' in configuration file ''shibboleth2.xml''. Log in link should be something like: +
- +
-<code html> +
- <a href="/Shibboleth.sso/DS" onclick="startOverlay(event)">Log in</a> +
-</code> +
- +
-From shibboleth version 2.5 is URL of the session initiatoru defaultly set to ''/Shibboleth.sso/Login''. Log in link should be something like: +
- +
-<code html> +
- <a href="/Shibboleth.sso/Login" onclick="startOverlay(event)">Log in</a> +
-</code> +
- +
-If you are using SimpleSamlPhP, link must lead to the same URL as parameter ''discoURL'' in configuration file ''authsources.php''+
- +
-Example of configuration file ''authsources.php'': +
-<code> +
-'default-sp' => array( +
-    'saml:SP', +
-    'entityID' => 'https://sp.example.com/simplesaml/', +
-    'idp' => NULL, +
-    'discoURL' => 'https://ds.eduid.cz/wayf.php', +
-    'privatekey' => 'example.key' +
-), +
-</code> +
- +
-example of log in link while using SimpleSamlPhP: +
-<code> +
-<a href="/simplesaml/module.php/core/authenticate.php" onclick="startOverlay(event)">Log in</a> +
-</code>+