UCTrust Workgroup
Child pages
  • Invoking UCTrust and InCommon Applications without WAYF Processing

Versions Compared

Old Version 7

changes.mady.by.user WALKER, DAVID

Saved on

compared with

New Version Current

changes.mady.by.user Wu, Albert

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

The general approach is to invoke the IdP with query string parameters attached to its URL specifying information about the desired SP, as if the IdP had been invoked by the InCommon WAYF. For example, the following URL (with spaces and line breaks removed) could be used by a member of the UCLA community to access the QA instance of At Your Service Online (AYSO).

No Format

   https://shb.ais.ucla.edu/shibboleth-idp/SSO?

...


           shire=https://sseqa.ucop.edu/Shibboleth.sso/SAML/POST&

...


           target=https://sseqa.ucop.edu/ayso/shibboleth.do&

...


           providerId=https://sseqa.ucop.edu

...

The general format of such a URL is:{{

No Format

   IdP_

...

singleSignOnService_Location?

...


           shire=SP_

...

assertionConsumerService_Location

...

&
           target=SP_Entry_Point

...

&
           providerId=SP_

...

entityDescriptor_entityID

...

The four query string parameters here are taken from the InCommon metadata for the SP being invoked, as well as the campus's IdP:

  • IdP_SingleSignOnServicesingleSignOnService_Location is is the Location attribute of the <SingleSignOnService> <singleSignOnService> object within the IdP's <entityDescriptor>.
  • SP_AssertionConsumerServiceassertionConsumerService_Location is the   Location attribute of the <AssertionConsumerService> assertionConsumerService object within the SP's <entityDescriptor>.
  • SP_Entryentry_Point is the URL to which the user's browser should be redirected to invoke the application after the user has been authenticated by the IdP. It does not appear in the InCommon metadata.
  • SP_EntityDescriptorentityDescriptor_entityID is the entityID attribute of the SP's <entityDescriptor>.

Some considerations:

  • In the long run, it will not be possible for campuses to prepare special links for all Shibboleth-based applications. Campuses should consider if/when their community should become accustomed to interacting with the WAYF.
  • Campus web pages containing these links will likely be discoverable from other campuses via search services like Google, potentially causing confusion for the people who discover those links.  Care should be taken to make the link's text explicit about its purpose.  For For example, Login to AYSO with your UCInetID uCInetID or AYSO (UCSC only) would be better than just AYSO.
  • A good tip is to create a short alias URL for this lengthy URL.  The short URL is easier to remember and type, and it provides a single update point if it becomes necessary to modify any of the parameters in the future.