Toto je starší verze dokumentu!

Obsah

eduID.cz WAYF/DS for Service Providers
- Defining Identity Providers available for login
- Logging in setup
  - When logging in is required
  - Logging in on demand (lazy session)

eduID.cz WAYF/DS for Service Providers

There is also a page with general information about WAYF/DS.

Defining Identity Providers available for login

Without any configuration, WAYF shows all the IdPs available in the federation the SP belongs to. It is possible to define a list of IdPs to be shown making use of one of two parameters – either filter attribute or efilter attribute.

filter

Using filter attribute leads to a direct filter. In this case the list of IdPs to show is defined as a value in filter parameter.

Example of a direct filter:

filter=eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogZmFsc2V9

efilter

Using efilter attribute leads to an external filter. In this case the list of IdPs to show is defined in a file at a URL linked in efilter parameter.

Example of an external filter:

efilter=www.example.com/filter

Content of www.example.com/filter:

eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogZmFsc2V9

efilter approach is a solution for HTTP servers limiting HTTP GET parameters such as Suhosin extension for PHP language allowing only 255 characters at a maximum.

Filter generator

A filter generator is available at https://ds.eduid.cz/filter.php.

IdPs from federations

The „Feeds“ field is used for filtering groups of IdPs in base of federations. This setup can be overwrited by seting list of individual IdPs.

Individual IdPs

For better granularity you can limit to particular IdPs. If there is any IdP from that list checked, it has priority over filtering of group IdPs.

Access for users out of federations

You can use „Hostel IdP“ identity provider. In that case check option „Use Hostel IdP“. Your service provider must be configured to use this service provider. If you want to allow Hostel IdP accont creation from WAYF, check option „Allow Hostel registration“.

Examples

Filter for using Hostel IdP without possibility to create Hostel IdP account

filter=eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogZmFsc2V9

Filter for using Hostel IdP wit possibility to create Hostel IdP account

filter=eyAgImFsbG93SG9zdGVsIjogdHJ1ZSwgImFsbG93SG9zdGVsUmVnIjogdHJ1ZX0=

Logging in setup

Wayf supports both sites where logging in is required and sites where loging in is optional.

When logging in is required

This guide is for the the Shibboleth SP.

Web page has to covered by mod_shib directive ShibRequire. In file shibboleth2.xml replace in tag <SessionInititor type=„SAMLDS“…> value of attribute URL with reference to the DS service:

<SessionInitiator type="Chaining" Location="/DS" isDefault="false" id="DS">
    <SessionInitiator type="SAML2" template="bindingTemplate.html"/>
    <SessionInitiator type="Shib1"/>
    <SessionInitiator type="SAMLDS" URL="https://ds.eduid.cz/wayf.php"/>
</SessionInitiator>

If you want to use IdP filtering, write generated filter as a parameter of URL session initiator:

<SessionInitiator type="Chaining" Location="/DS" isDefault="false" id="DS">
    <SessionInitiator type="SAML2" template="bindingTemplate.html"/>
    <SessionInitiator type="Shib1"/>
<SessionInitiator type="SAMLDS" URL="https://ds.eduid.cz/wayf.php?filter=eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==&amp;lang=en"/>
</SessionInitiator>

Or simplified setup of newer SPs:

<SSO discoveryProtocol="SAMLDS" 
    discoveryURL="https://ds.eduid.cz/wayf.php?filter=eyJhbGxvd0hvc3RlbCI6dHJ1ZSwiYWxsb3dIb3N0ZWxSZWciOnRydWV9Cg==&amp;lang=en">
    SAML2 SAML1
</SSO>

That's all. While accessing web page, user is redirected to eduID.cz Discovery Service.

Logging in on demand (lazy session)

Session initiator in file shibboleth2.xml set exactly as in required logging in. Insert the following javascript file into page's header:

<head>
 ...
 <script type="text/javascript" src="https://ds.eduid.cz/ds.js"></script>
 ...
</head>

In Shibboleth to version 2.4 (included) is URL of the session initiatoru set in attribute Location in element <SessionInitiator> in configuration file shibboleth2.xml. Log in link should be something like:

 <a href="/Shibboleth.sso/DS" onclick="startOverlay(event)">Log in</a>

From shibboleth version 2.5 is URL of the session initiatoru defaultly set to /Shibboleth.sso/Login. Log in link should be something like:

 <a href="/Shibboleth.sso/Login" onclick="startOverlay(event)">Log in</a>

If you are using SimpleSamlPhP, link must lead to the same URL as parameter discoURL in configuration file authsources.php.

Example of configuration file authsources.php:

'default-sp' => array(
    'saml:SP',
    'entityID' => 'https://sp.example.com/simplesaml/',
    'idp' => NULL,
    'discoURL' => 'https://ds.eduid.cz/wayf.php',
    'privatekey' => 'example.key'
),

example of log in link while using SimpleSamlPhP:

<a href="/simplesaml/module.php/core/authenticate.php" onclick="startOverlay(event)">Log in</a>

eduID.cz

Postranní lišta