To have more control over the IP Discovery you can integrate your own WAYF selection page in your service. You do this with the following steps:
Example of the metadata file:
<?xml version="1.0"?> <md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdui="urn:oasis:names:tc:SAML:2.0:metadata:ui" ID="CORTO6d017189c6bcd01c19935006ce6b32e89e29b4a3"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#CORTO6d017189c6bcd01c19935006ce6b32e89e29b4a3"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>L8ANkHPH4msXsIUFptAMeNTuMzQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>kSE6aUY74Y1P/B6ZDY4s6F3AEpCv0t/z9fyyhUmPZctfshkiyK53vz8lKfmgiUlOk2c4+dXVPlVQqzeVgW2lDKycdWhkjSQnybBNPrBYlvlEPMJHO4p83IEOMGXh7yS6a8OjNc9qLTikVQnxwfV3xAZGxZ0AZVSJM9WhkqRMJGAK7xMcttM77cIy06ZRpNDb5e36Fb6dLHHAJ3JICd9CEHqdP3WKB2rO2wDGxrkIx/6ynnM1YCFbWvpGU+dGT6/r7YTU9q89UdU2cYMTP1t4KSl/BOMJflnwlAEmFxcxn4FGKny9cRpzhu0nvmtk02cK8T/pYboWWEqG6ooTIEM3Yw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate></ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature> <md:EntityDescriptor validUntil="2012-05-31T22:00:00Z" entityID="https://test.test.nl"><md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://engine.surfconext.nl/authentication/sp/consume-assertion/7f301d787aa6ea235a8b86434d39aa41" index="1"/></md:SPSSODescriptor></md:EntityDescriptor> <md:EntityDescriptor validUntil="2012-06-01T10:36:28Z" entityID="http://www.surf.nl/test"><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:Extensions><mdui:DisplayName xml:lang="en">SURFnet BV - This IdP is for testing only</mdui:DisplayName><mdui:DisplayName xml:lang="nl">SURFnet BV - This IdP is for testing only</mdui:DisplayName><mdui:Description xml:lang="en">SURFnet BV - This IdP is for testing only</mdui:Description><mdui:Description xml:lang="nl">SURFnet BV - This IdP is for testing only</mdui:Description><mdui:Logo height="60" width="120">https://wayf.surf.nl/federate/surfnet/img/logo/surfnet.png</mdui:Logo><mdui:Keywords xml:lang="en">SURFNET</mdui:Keywords><mdui:Keywords xml:lang="nl">SURFNET</mdui:Keywords></md:Extensions><md:KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="signing"><ds:KeyInfo><ds:X509Data><ds:X509Certificate></ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="encryption"><ds:KeyInfo><ds:X509Data><ds:X509Certificate></ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://engine.surfconext.nl/authentication/idp/single-sign-on/dedd75c2157a751113666d7888b2f2cd"/></md:IDPSSODescriptor></md:EntityDescriptor> |
Line 3 contains the Service Provider metadata of 'https://test.test.nl', line 4 the metadata for a coupled Identity Provider (SURFnet Test IdP). For simplicity the remainder of the XML metadata is omitted.
When you use Shibboleth, the following HTML code presents a link that will start an authentication to a specific IdP:
<ul class="IdPlist"> <li><a href="https://SP.example.org/Shibboleth.sso/Login?target=dashboard.php&entityID=http://www.surf.nl/test ">SURFconext Login</a></li> </ul> |
The base URL is the URL of your Shibboleth Service Provider. The 'target' parameter contains the location to return to after the login was successful. The 'entityID' parameter is the EntityID of the IdP (as found in the SURFconext metadata).
Just expand the list with more IdPs from the SURFconext metadata, and you have created your own WAYF selection page.