| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
Pre-requisites
- Wayfinder is available to InCommon-registered services. If your service is not in InCommon, we suggest connecting directly to SeamlessAccess.
- Your Service Provider (SP) must support the OASIS SAML V2.0 Identity Provider Discovery Protocol and Profile.
Step 1: Configure Your Service Provider (SP) Metadata in Federation Manager
Sign into Federation Manager and update the following in your SP metadata:
1. Edit Discovery Response Endpoint
- Find your SP; find the Discovery Response Endpoint section; click edit/add.
- Enter your Discovery Response Endpoint URL in the Location input box; click save.
| Info | ||
|---|---|---|
| ||
The Discovery Response Endpoint, or the "Location" attribute in the To maintain the security of the sign-in process, Wayfinder will only redirect the user to the Discovery Response Endpoint specified in the SP's InCommon-registered metadata. |
2. Verify your Metadata User Interfacer Information and Attribute Consumer Service configurations
- Navigate to the Attribute Consumer Service section to configure at least one valid SAML V2.0 endpoint.
Fill out the Metadata User Interface (MDUI) section of the metadata completely and with care.
| Info | ||
|---|---|---|
|
| |
During sign in, Wayfinder displays at least the DisplayName in your SP metadata to the user. This is how the user recognizes which service they are signing into. The name you choose |
needs to clearly identify your service. For example, University of America configures its Zoom service to use Wayfinder. A good DisplayName for U of A's Zoom is "University of America Zoom Video Conference Service". On the other hand, "Zoom", or "UA Zoom" would be poor, ambiguous name choices. |
About the the Discovery Response Endpoint
The Discovery Response Endpoint, or the "Location" attribute in the <idpdisc:DiscoveryResponse> metadata element, is a return address at the SP. After a user has chosen their preferred home organization, Wayfinder redirects the user back to the SP's Discovery Response Endpoint.
To maintain the security of the sign-in process, Wayfinder will only redirect the user to the Discovery Response Endpoint specified in the SP's InCommon-registered metadata.
Configure Your Software
Configure your software so that when user sign in is needed, re-direct3. Check "Use InCommon Wayfinder as Discovery Service"
- Navigate to the Entity Attributes section in your SP's metadata.
- Check the "Use InCommon Wayfinder as Discovery Service" option.
Step 2: Configure Your SP Software
Configure your service so that when a users signs in, your service redirects the user to the InCommon Wayfinder
per OASIS Identity Provider Discovery Service Protocol and Profile. InCommon Wayfinder is located at:
https://wayfinder.incommon.org/Configuring Shibboleth SP
See: Configuring Shibboleth SP to use Wayfinder
General Configuration
When redirecting a user to Wayfinder, construct the redirect URL to contain
two query string parameters.
The first parameter is entityID. entityID contains the URL-encoded value of your SP's SAML entityID.
The second parameter is return. return contains the URL-encoded value of your SP's Discovery Response Endpoint URL.
For example, an SP with an entityID of https://foo.net/sp
and a Discovery Response Endpoint of https://foo.net/disco-resposne will construct the following redirect URL:
| Code Block | ||
|---|---|---|
| ||
https://wayfinder.incommon.org/ |
?entityID=https%3A%2F%2Ffoo.net%2Fsp&return=https%3A%2F%2Ffoo.net%2Fdisco-response |
See OASIS Identity Provider Discovery Service Protocol and Profile for additional query string parameter options.
On this Page
| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
In this Section
Configuring Shibboleth SP
Get help
Can't find what you are looking for?
| Button Hyperlink | ||||||||
|---|---|---|---|---|---|---|---|---|
|