UCTrust Workgroup
Child pages
  • Invoking UCTrust and InCommon Applications without WAYF Processing

Versions Compared

Old Version 11

changes.mady.by.user WALKER, DAVID

Saved on

compared with

New Version 12

changes.mady.by.user WALKER, DAVID

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The general approach is to invoke the IdP with query string parameters attached to its URL specifying information about the desired SP, as if the IdP had been invoked by the InCommon WAYF. For example, the following URL (with spaces and line breaks removed) could be used by a member of the UCLA community to access the QA instance of At Your Service Online (AYSO).

No Format

   https
Panel
\020https
://
shb
shib.ais.ucla.edu/shibboleth-idp/SSO?

{{ 

           shire=https://sseqa.ucop.edu/Shibboleth.sso/SAML/POST&
}}
{{ 

           target=https://sseqa.ucop.edu/ayso/shibboleth.do&
}}
{{ 

           providerId=https://sseqa.ucop.edu
}}

The general format of such a URL is:{{

No Format

   IdP_SingleSignOnService_Location?

...


           shire=SP_AssertionConsumerService_Location

...

&
           target=SP_Entry_Point

...

&
           providerID=SP_EntityDescriptor_entityID

...

The four query string parameters here are taken from the InCommon metadata for the SP being invoked, as well as the campus's IdP:

  • IdP_SingleSignOnService_Location is is the Location attribute of the <SingleSignOnService\<SingleSignOnService\> object within the IdP's <entityDescriptor>\<entityDescriptor\>.
  • SP_AssertionConsumerService_Location is the Location attribute of the <AssertionConsumerService> object within the SP's <entityDescriptor>.
  • SP_Entry_Pointis the URL to which the user's browser should be redirected to invoke the application after the user has been authenticated by the IdP. It does not appear in the InCommon metadata.
  • SP_EntityDescriptor_entityID is the entityID attribute of the SP's <entityDescriptor>.

...