• Security & Identity
• Authentication
  • About AAI
  • Participants
  • Join AAI
  • Support & Downloads
    • FAQ
    • Helpdesk
    • Documents
    • Presentations
    • HOWTO
    • Identity Providers
    • Service Providers
    • Metadata
    • Tools
  • Demo
  • Contact
• Computer Emergencies
• Certificates

WAYF Service

The goal of the "Where Are You From" (WAYF) service is to send a user to the Identity Provider of his Home Organization. The WAYF also is referred to as "Discovery Service", which also is the name of a SAML specification implementing the Discovery Service protocol. In the following WAYF and DS are used synonymously although the DS protocol is slightly different as is shown below.

Basically, all the WAYF/DS has to accomplish, is to present the user a list of Home Organization and redirect the user's web browser to the selected Identity Provider (WAYF) or back to the Service Provider (Discovery Service) as this is shown below.

Different flows of WAYF (Shibboleth 1.x default) and Discovery Service (Shibboleth 2.x default)

Beyond that, additional features enhance the user's ease-of use. This includes several methods of remembering or guessing the user's Identity Provider selection and it also includes embedding the WAYF on a foreign site via a simple copy & paste operation.

PHP Implementation

The implementation developed by SWITCH is a lightweight PHP implementation that supports multiple languages, several ways of pre selecting an identity provider and support for push-updates (e.g. from the Resource Registry). The features include:

• Lightweight PHP implementation
• Open-Source software
• Multiple languages support
• Category support in drop down list
• Reads SAML2 Metadata
• Automatic redirection to selected Identity Provider in current web browser session
• SAML Domain Cookie compliant
• Various ways of pre selecting an Identity Provider
• Embedded WAYF feature
• Service Provider can enforce redirect to a Identity Provider

DS/WAYF Implementations

Besides the SWITCHwayf PHP implementation of the Discovery Service/WAYF protocol there are other alternatives that could be used instead.

• There is the official Java Discovery Service/WAYF implementation developed by Internet2. It runs within a Servlet container and uses the official OpenSAML and Shibboleth libraries.
• The Greek national research & and education network GRNET created in 2009 a Python Discovery Service/WAYF implementation based on the Web framework Django.

High Availability

SWITCH uses the self-developed PHP implementation for its SWITCHaai and AAI Test federations. Since the WAYF service is crucial for the federation, it has to be ensured that the service is operated without any service interruptions. Therefore, the SWITCHaai WAYF is operated in a high-availability setup that uses anycast techniques to achieve redundancy and load balancing. For a short introduction of the setup see:

SWITCHaai WAYF Presentation, AAI Info-Day 2005 [PDF 1.0 MB]

Downloads

The following code, which is published under a BSD license, is provided "as-is". This means that the look-and-feel of the interfaces is custom-tailored for SWITCHaai, so you may have to change the HTML code in the file templates.php as well as the settings in config.php.

Latest version: 1.12.1 (2010/01/20) Download

- Fixed a bug in the the getToplevelDomain function. Thanks to Olivier Salaün.

Version: 1.12 (2010/01/18)

- Added code contributions from CRU. Thanks to Olivier Salaün and co.
- Added hooks for persistent customizations that should survive upgrades
- Fixed a bug where the last used SP's entityID is not stored for DS requests
- Changed behaviour for WAYF requests to store providerId/entityID in _saml_sp cookie instead of assertion consumer URL
- Optimized JavaScript code

Version: 1.11.1 (2009/10/26)

- Fixed a Javascript HTML entities issue

Version: 1.11 (2009/10/16)

- Replaced deprecated PHP 4/5 functions with current ones
- Reworked JSON handler in order to output a harmonized data structure that will be compatible with the Internet2 Discovery Service

Version: 1.10.1 (2009/09/29)

- Fixed a minor bug that resulted in PHP warnings when using SAML2 metadata directly. Added a default type for the IDPs when SAML2 metadata is used in combination with Embedded WAYF. Thanks to Lourival Pereira Vieira Neto from RNP (Brasil) for reporting.

Version: 1.10 (2009/08/20)

- Added new settings of embedded wayf to set custom texts and to hide the logo
- Added feature to force embedded wayf to use a specific language
- Added JSON, PHP, Text export handler of IdP list and guessed IdP
- Added cookie deletion handler to clear all settings
- Most elements drawn by the Embedded WAYF now have a CSS ID to further customize their appearance although this should be done only at own risk
- Added a setting that allows to define a function that checks whether a user is logged in or not
- Changed the wayf_use_small_logo default setting to true because most deployments use this setting
- Fixed a bug that occurred when additional IdPs were defined and some IdPs were hidden.
- Removed language file setting because this probably was not used anyway
- Replaced all non ASCII strings in languages.php with their entities to prevent problems in Embedded WAYF
- Rearranged and refactored some code
Upgrade from previous version may require a clean install

Version: 1.9.5 (2006/06/03)

- The embedded WAYF submit button now is an input element instead of an image surrounded by a button element. This has the advantage that the CSS rules of the embedding page are also applied to the embedded WAYF.
- Made sure that there are no JS escaping errors anymore
- Fixed a bug in readMetadata.php that resulted in the wront SSOService URLs being parsed if they were in a certain order. Thanks to Olivier Salaun for reporting this bug.
- Added category support for the embedded WAYF
Upgrade from previous version won't require a clean install

Version: 1.9 (2009/04/03)

- Added three more settings to the embedded WAYF configuration
- Fixed some JavaScript warnings
- Fixed some minor bugs in the embedded WAYF
- Added means of adding categories in the drop-down list
- Replaced image button in embedded WAYF with submit input button
- readMetadata is now more tolerant and flexible when reading SAML 2 metadata
- Embedded WAYF now stores cookie itself if IdP from other federation is used
Upgrade from previous version won't require a clean install

Version: 1.8 (2008/11/17)

- SAML2 metadata can now be read and displayed This feature has been developed in the framework of GRNET's project VNOC by Pavlos Drandakis
- WAYF/DS can be embedded on remote site using JavaScript
- There now is a setting to hide the permanent setting checkbox
- Added logging support for statistics generation
- Changed character encoding to UTF-8
- Added Portuegese language translation provided by Nuno Gonçalves from FCCN
- Cascading of other WAYFs is now possible when Type is set accordingly
This version requires a clean-install!

Version: 1.7.2 (2008/06/11)

- Fixed a small JavaScript Bug reportet by Franz Kuster from ETHZ

Version: 1.7.1 (2008/05/02)

- Added back-wards mode patch for older WAYF version that didn't use transparent GET arguments in all requests
- Removed RelyingParty configuration option because it is not needed in general
- Changed Home Organization to Home Organisation and corrected various typos
- Added support for multilingual IdP names. Thanks for code and inspiration go to Pavlos Drandakis from University of Athens

Version: 1.7 (2008/01/09)

- Provided support for SAML2/Shibboleth2 IdP discovery service
- Fixed some HTML code and some typos

Version: 1.6 (2007/09/28)

- Added reverse DNS lookup as another way to select the right IdP
- Redirect path info sets now the redirect cookie as well
- Added patch for Cookie prefix by Florent Guilleux from CRU

Version: 1.5.1 (2007/08/09)

- Added French language corrections by Florent Guilleux from CRU
- Made code more resistent against PHP configuration issues
- Fixed a small typo in the english translation found by Michael R. Gettes from Internet2
- Adapted SWITCH tagline in License and README
- Removed SwissSign certificate notice

Version: 1.5 (2006/07/26)

- State of checkbox to remember session is now stored in a cookie too
- Determination of user language now has a more reasonable precedence

Version: 1.4 (2006/06/28)

- Added IP pre selection hint by Mika Suvanto (CSC, Finland)

Version: 1.3.1 (2006/04/03)

- Corrected two inconsistencies found by Jochen Lienhard (University of Freiburg, Germany)
- Deactivated Kerberos in the default configuration

Version: 1.3 (2006/03/21)

- Configuration is now in a separate file
- Kerberos automatic redirection by Josh Howlett (Bristol, UK)
- Some structural code changes
- checkConfig now doesn't need shell access anymore
- GET parameters received by WAYF are now unchanged appended to each request
- Easier customization options

Version 1.2 (2005/11/03)

- Added permanent cookie feature
- Improved IDP configuration check
- Cleaned up code

Version 1.1 (2005/10/26)

- Added license
- Removed and optimized some code

Feedback and Bug Reports

Feedback, bug reports or feature requests are always welcome. Please send them to our group mail address aai@switch.ch.