Toto je starší verze dokumentu!
There is also a page with general information about WAYF/DS.
Without any configuration, WAYF shows all the IdPs available in the federation the SP belongs to. It is possible to define a list of IdPs to be shown making use of one of two parameters – either filter attribute or efilter attribute.
Using filter attribute leads to a direct filter. In this case the list of IdPs to show is defined as a value in filter parameter.
Example of a direct filter:
filter=eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogZmFsc2V9
Using efilter attribute leads to an external filter. In this case the list of IdPs to show is defined in a file at a URL linked in efilter parameter.
Example of an external filter:
efilter=www.example.com/filter
Content of www.example.com/filter
:
eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogZmFsc2V9
efilter approach is a solution for HTTP servers limiting HTTP GET parameters such as Suhosin extension for PHP language allowing only 255 characters at a maximum.
A filter generator is available at https://ds.eduid.cz/filter.php.
The „Feeds“ field is used for filtering groups of IdPs in base of federations. This setup can be overwrited by seting list of individual IdPs.
For better granularity you can limit to particular IdPs. If there is any IdP from that list checked, it has priority over filtering of group IdPs.
You can use „Hostel IdP“ identity provider. In that case check option „Use Hostel IdP“. Your service provider must be configured to use this service provider. If you want to allow Hostel IdP accont creation from WAYF, check option „Allow Hostel registration“.
Filter for using Hostel IdP without possibility to create Hostel IdP account
filter=eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogZmFsc2V9
Filter for using Hostel IdP wit possibility to create Hostel IdP account
filter=eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogdHJ1ZX0=
Wayf supports both sites where logging in is required and sites where loging in is optional.
This guide is for the the Shibboleth SP.
Web page has to covered by mod_shib directive ShibRequire. In file shibboleth2.xml
replace in tag <SessionInititor type=„SAMLDS“…>
value of attribute URL
with reference to the DS service:
<SessionInitiator type="Chaining" Location="/DS" isDefault="false" id="DS"> <SessionInitiator type="SAML2" template="bindingTemplate.html"/> <SessionInitiator type="Shib1"/> <SessionInitiator type="SAMLDS" URL="https://ds.eduid.cz/wayf.php"/> </SessionInitiator>
If you want to use IdP filtering, write generated filter as a parameter of URL session initiator:
<SessionInitiator type="Chaining" Location="/DS" isDefault="false" id="DS"> <SessionInitiator type="SAML2" template="bindingTemplate.html"/> <SessionInitiator type="Shib1"/> <SessionInitiator type="SAMLDS" URL="https://ds.eduid.cz/wayf.php?filter=eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==&lang=en"/> </SessionInitiator>
Or simplified setup of newer SPs:
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://ds.eduid.cz/wayf.php?filter=eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==&lang=en"> SAML2 SAML1 </SSO>
That's all. While accessing web page, user is redirected to eduID.cz Discovery Service.
Session initiator in file shibboleth2.xml
set exactly as in required logging in. Insert the following javascript file into page's header:
<head> ... <script type="text/javascript" src="https://ds.eduid.cz/ds.js"></script> ... </head>
In Shibboleth to version 2.4 (included) is URL of the session initiatoru set in attribute Location
in element <SessionInitiator>
in configuration file shibboleth2.xml
. Log in link should be something like:
<a href="/Shibboleth.sso/DS" onclick="startOverlay(event)">Log in</a>
From shibboleth version 2.5 is URL of the session initiatoru defaultly set to /Shibboleth.sso/Login
. Log in link should be something like:
<a href="/Shibboleth.sso/Login" onclick="startOverlay(event)">Log in</a>
If you are using SimpleSamlPhP, link must lead to the same URL as parameter discoURL
in configuration file authsources.php
.
Example of configuration file authsources.php
:
'default-sp' => array( 'saml:SP', 'entityID' => 'https://sp.example.com/simplesaml/', 'idp' => NULL, 'discoURL' => 'https://ds.eduid.cz/wayf.php', 'privatekey' => 'example.key' ),
example of log in link while using SimpleSamlPhP:
<a href="/simplesaml/module.php/core/authenticate.php" onclick="startOverlay(event)">Log in</a>
CESNET, z. s. p. o.
Generála Píky 26
16000 Praha 6
info@cesnet.cz
Tel: +420 234 680 222
GSM: +420 602 252 531
support@cesnet.cz