Pre-requisites

  1. Wayfinder is available to InCommon-registered services. If your service is not in InCommon, we suggest connecting directly to SeamlessAccess
  2. Your Service Provider (SP) must support the OASIS SAML V2.0 Identity Provider Discovery Protocol and Profile.

Step 1: Configure Your Service Provider (SP) Metadata in Federation Manager

Sign into Federation Manager and update the following in your SP metadata:

1. Edit Discovery Response Endpoint

  • Find your SP; find the Discovery Response Endpoint section; click edit/add.
  • Enter your Discovery Response Endpoint URL in the Location input box; click save.


About the Discovery Response Endpoint

The Discovery Response Endpoint, or the "Location" attribute in the <idpdisc:DiscoveryResponse> metadata element, is a return address at the SP. After a user has chosen their preferred home organization, Wayfinder redirects the user back to the SP's Discovery Response Endpoint.

To maintain the security of the sign-in process, Wayfinder will only redirect the user to the Discovery Response Endpoint specified in the SP's InCommon-registered metadata.


2. Verify your Metadata User Interfacer Information and Attribute Consumer Service configurations

  • Navigate to the Attribute Consumer Service section to configure at least one valid SAML V2.0 endpoint.

  • Fill out the Metadata User Interface (MDUI) section of the metadata completely and with care. 


Why is MDUI information important?

During sign in, Wayfinder displays at least the DisplayName in your SP metadata to the user. This is how the user recognizes which service they are signing into. The name you choose needs to clearly identify your service. 

For example, University of America configures its Zoom service to use Wayfinder. A good DisplayName for U of A's Zoom is "University of America Zoom Video Conference Service". On the other hand, "Zoom", or "UA Zoom" would be poor, ambiguous name choices.

3. Check "Use InCommon Wayfinder as Discovery Service"

  • Navigate to the Entity Attributes section in your SP's metadata.
  • Check the "Use InCommon Wayfinder as Discovery Service" option. 

Step 2: Configure Your SP Software

Configure your service so that when a users signs in, your service  redirects the user to the InCommon Wayfinder per OASIS Identity Provider Discovery Service Protocol and Profile.  InCommon Wayfinder is located at: 

  https://wayfinder.incommon.org/


General Configuration 

When redirecting a user to Wayfinder, construct the redirect URL to contain two query string parameters.

The first parameter is entityID. entityID contains the URL-encoded value of your SP's SAML entityID.

The second parameter is return. return contains the URL-encoded value of your SP's Discovery Response Endpoint URL.

For example, an SP with an entityID of https://foo.net/sp and a Discovery Response Endpoint of https://foo.net/disco-resposne will construct the following redirect URL:

  https://wayfinder.incommon.org/?entityID=https%3A%2F%2Ffoo.net%2Fsp&return=https%3A%2F%2Ffoo.net%2Fdisco-response

See OASIS Identity Provider Discovery Service Protocol and Profile for additional query string parameter options.

Configuring Shibboleth SP

See: Configuring Shibboleth SP to use Wayfinder

Get help

Can't find what you are looking for?

help Ask the community