Invoking UCTrust and InCommon Applications without WAYF Processing
(12/14/2007 - DHW)
This document describes how to invoke a UCTrust / InCommon Service
Provider (SP) without "Where Are You From" (WAYF) processing when the
user's campus Identity Provider (IdP) is already known.
The general approach is to invoke the IdP with query string parameters attached to
its URL specifying information about the desired SP, as if the IdP had
been invoked by the InCommon WAYF. For example, the following URL (with
spaces and line breaks removed) could be used by a member of the UCLA
community to access the QA instance of At Your Service Online (AYSO).
The four query string parameters here are taken from the InCommon metadata for the SP being invoked, as well as the campus's IdP:
IdP_SingleSignOnService_Location is the Location attribute of the <SingleSignOnService> object within the IdP's <entityDescriptor>.
SP_AssertionConsumerService_Location is theLocationattribute of the <AssertionConsumerService> object within the SP's <entityDescriptor>.
SP_Entry_Point
is the URL to which the user's browser should be redirected to invoke
the application after the user has been authenticated by the IdP. It
does not appear in the InCommon metadata.
SP_EntityDescriptor_entityID is the entityID attribute of the SP's <entityDescriptor>.
Some considerations:
In the long run, it will not be possible for campuses to prepare
special links for all Shibboleth-based applications. Campuses
should consider if/when their community should become accustomed to
interacting with the WAYF.
Campus web pages containing these links will likely be
discoverable from other campuses via search services like Google,
potentially causing confusion for the people who discover those links.
Care should be taken to make the link's text explicit about its
purpose. For example, Login to AYSO with your UCInetID or AYSO (UCSC only) would be better than just AYSO.