• Created by Unknown User (urn:collab:person:surfguest.nl:d09fa6a3-58f5-48a7-aa62-17f02489c888), last modified on Tue 06 Dec 2016

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

To have more control over the IP Discovery and the look and feel of the WAYF selection page, you can integrate a WAYF page in your service. You can arrange this as follows:

  1. Be sure that your service is configured in SURFconext (Production or Test environment).
  2. Request a SAML 2.0 metadata file with all IdPs that have been coupled with your service (https://engine.surfconext.nl/authentication/proxy/idps-metadata?sp-entity-id=SP-ENTITY-ID (replace SP-ENTITY-ID with your EntityID as found in your metadata)).
  3. You will receive an actual list of 1) your own Service Provider metadata (included for services that use Shibboleth software) and (2) metadata of all the IdPs that have have been coupled with your service.
  4. Configure the metadata into your Service Provider directly or use it e.g. with Xpath to extract the Display names and SSO locations of the IdPs to present in your WAYF.
    The SSO locations in the metadata file are provided in a transparent way. This means that for any Identity Provider, they all point to a SURFconext endpoint but with a specific identifier at the end. This identifier instructs SURFconext to immediately forward the authentication request to the requested Identity Provider. This way, SURFconext is still in the middle of the traffic (as a proxy), even though you use your own WAYF selection page.

Example of the metadata file:

<?xml version="1.0"?>
<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdui="urn:oasis:names:tc:SAML:2.0:metadata:ui" ID="CORTO6d017189c6bcd01c19935006ce6b32e89e29b4a3"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#CORTO6d017189c6bcd01c19935006ce6b32e89e29b4a3"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>L8ANkHPH4msXsIUFptAMeNTuMzQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>kSE6aUY74Y1P/B6ZDY4s6F3AEpCv0t/z9fyyhUmPZctfshkiyK53vz8lKfmgiUlOk2c4+dXVPlVQqzeVgW2lDKycdWhkjSQnybBNPrBYlvlEPMJHO4p83IEOMGXh7yS6a8OjNc9qLTikVQnxwfV3xAZGxZ0AZVSJM9WhkqRMJGAK7xMcttM77cIy06ZRpNDb5e36Fb6dLHHAJ3JICd9CEHqdP3WKB2rO2wDGxrkIx/6ynnM1YCFbWvpGU+dGT6/r7YTU9q89UdU2cYMTP1t4KSl/BOMJflnwlAEmFxcxn4FGKny9cRpzhu0nvmtk02cK8T/pYboWWEqG6ooTIEM3Yw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate></ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<md:EntityDescriptor validUntil="2012-05-31T22:00:00Z" entityID="https://test.test.nl"><md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://engine.surfconext.nl/authentication/sp/consume-assertion/7f301d787aa6ea235a8b86434d39aa41" index="1"/></md:SPSSODescriptor></md:EntityDescriptor>
<md:EntityDescriptor validUntil="2012-06-01T10:36:28Z" entityID="http://www.surf.nl/test"><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:Extensions><mdui:DisplayName xml:lang="en">SURFnet BV - This IdP is for testing only</mdui:DisplayName><mdui:DisplayName xml:lang="nl">SURFnet BV - This IdP is for testing only</mdui:DisplayName><mdui:Description xml:lang="en">SURFnet BV - This IdP is for testing only</mdui:Description><mdui:Description xml:lang="nl">SURFnet BV - This IdP is for testing only</mdui:Description><mdui:Logo height="60" width="120">https://wayf.surf.nl/federate/surfnet/img/logo/surfnet.png</mdui:Logo><mdui:Keywords xml:lang="en">SURFNET</mdui:Keywords><mdui:Keywords xml:lang="nl">SURFNET</mdui:Keywords></md:Extensions><md:KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="signing"><ds:KeyInfo><ds:X509Data><ds:X509Certificate></ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="encryption"><ds:KeyInfo><ds:X509Data><ds:X509Certificate></ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://engine.surfconext.nl/authentication/idp/single-sign-on/dedd75c2157a751113666d7888b2f2cd"/></md:IDPSSODescriptor></md:EntityDescriptor>

Line 3 contains the Service Provider metadata of 'https://test.test.nl', line 4 the metadata for a coupled Identity Provider (SURFnet Test IdP). For simplicity the remainder of the XML metadata is omitted.

When you use Shibboleth as the Service Provider software, it is very easy to implement an authentication request to a specific Identity Provider. The following HTML code presents a link that will start an authentication to a specific Identity Provider:

<ul class="IdPlist">
<li><a
href="https://SP.example.org/Shibboleth.sso/Login?target=dashboard.php&entityID=http://www.surf.nl/test
">SURFconext Login</a></li>
</ul>

Here, the base URL is the URL of your Shibboleth Service Provider. The 'target' parameter contains the location to return to after the login was successful and the 'entityID' parameter is the EntityID of the Identity Provider as found in the SURFconext metadata.

 If you expand this list with more Identity Providers from the SURFconext metadata, you have implemented your own WAYF selection page using Shibboleth.

  • No labels