Child pages
  • InCommonWAYFReplacement
Skip to end of metadata
Go to start of metadata

InCommon WAYF Service

Article Type: Technical
Audience: Federated SP (Service Provider) administrators

The InCommon WAYF (Where Are You From) service  will be discontinued on February 2, 2011. It will be replaced by the InCommon Discovery Service, which provides compatibility with SAML V2.0 and Shibboleth 2.x, along with increased flexibility, privacy and security. You can visit the InCommon Discovery Service Page for more information.

Impact on Service Provider (SP)

The majority of SPs will not be affected by the new Discovery Service change. Only users who are registered with InCommon and reference the InCommon WAYF service will need to make the changes outlined below.

If you are running Shibboleth SP v1.3 or older

Note: If you are running Shibboleth SP 1.3 or older, please consider upgrading. It has not been supported since July 2010.

The <SessionInitiator> section of your current shibboleth.xml should look like the example below.

shibboleth.xml (original)
<SessionInitiator id="wayf" Location="/WAYF/InCommon"
     Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
     wayfURL="https://wayf.incommonfederation.org/InCommon/WAYF"
     wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" />

Please change the wayfURL attribute from "https://wayf.incommonfederation.org/InCommon/WAYF" to "https://wayf.incommonfederation.org/DS/WAYF". Your edited shibboleth2.xml should look like the example below.

shibboleth.xml (edited)
<SessionInitiator id="wayf" Location="/WAYF/InCommon"
     Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
     wayfURL="https://wayf.incommonfederation.org/DS/WAYF"
     wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" />

Note:  The Shibboleth daemon must be restarted for changes to take effect.

If you are running Shibboleth SP versions 2.0 to 2.3

The <SessionInitiator> section of your current shibboleth2.xml should look like the example below.

shibboleth.xml (original)
<SessionInitiator type="WAYF" acsIndex="5" URL="https://wayf.incommonfederation.org/InCommon/WAYF"/>

Please change the URL attribute from "https://wayf.incommonfederation.org/InCommon/WAYF" to "https://wayf.incommonfederation.org/DS/WAYF".  Your edited shibboleth2.xml should look like the example below.

shibboleth.xml (edited)
<SessionInitiator type="WAYF" acsIndex="5" URL="https://wayf.incommonfederation.org/DS/WAYF"/>

Note: The Shibboleth daemon must be restarted for changes to take effect.

If you are running Shibboleth SP v2.4 or later

Note: Please follow these steps ONLY if you are using the new configuration syntax introduced in 2.4. If you are not, please refer to the changes in the section above

The <SSO> section of your current shibboleth2.xml should look like the example below.

shibboleth2.xml (original)
<SSO discoveryProtocol="WAYF" discoveryURL="https://wayf.incommonfederation.org/InCommon/WAYF">
SAML1
</SSO>

Please change the discoveryURL attribute from "https://wayf.incommonfederation.org/InCommon/WAYF" to "https://wayf.incommonfederation.org/DS/WAYF". The edited shibboleth2.xml should look like the example below.

shibboleth2.xml (edited)
<SSO discoveryProtocol="WAYF" discoveryURL="https://wayf.incommonfederation.org/DS/WAYF">
SAML1
</SSO>

Note: The Shibboleth daemon must be restarted for changes to take effect.

Tri-Campus Applications

If your application has a custom designed page with links directing users to either the UCLA, UCOP or UC Merced login screen, please make the changes described below.

The current link that references the specific campus's login page should look similar to:

URL (original)
https://wayf.incommonfederation.org/InCommon/WAYF

Please change the URL from "https://wayf.incommonfederation.org/InCommon/WAYF" to "https://wayf.incommonfederation.org/DS/WAYF". The edited link should look like the example below.

Note: The rest of the URL parameters in the link should remain the same.

URL (edited)
https://wayf.incommonfederation.org/DS/WAYF

Before and After

The WAYF page currently looks like the image below.

Once you have made the changes and restarted the shibboleth daemon, the new Discovery Service should look like the image below.

Note: Tri-Campus applications will remain the same since you are referencing a specific IdP.

Questions/Comments

If you have any questions or comments about the changes that need to be made, please email iamucla@ucla.edu

  • No labels