JA T3 Framework

Fast. Flexible. Powerful


How to create a login to a service not seeing WAYF

SAML 2 has a built in feature called "unsolicited responses".
Unsolicited responses means "where to send request that origins from an unknown source".
In a bridged model, aka hub-and-spoke-federations, this can come in handy for transparent establishment of browser sessions with the federation.

This means that a user will transparently get a session with the federation e.g. when logging in locally at the IdP.

Having a session with the federation will make it easier to integrate WAYF-services in local link collections, e-learning systems etc. as no user interaction will be needed for choosing IdP at the federation hub.

If you tinker with your URL you can make your own IdP (identity provider) request a SAML-respons from WAYF and put in where the answer should go if the requester source is unknown.

In the example down below the institutions is "videndjurs and their SSO engine" " the source requested is "WAYF" and the place to put a response from an unsolicited source would be the online dictionary from "Gyldendal"


  1. Institution Idp is a unsolicited source for WAYFs point of view (https://wayf.videndjurs.dk/saml2/idp/SSOService.php)
  2. The source requested is WAYF (?spentityid=https://wayf.wayf.dk)
  3. The place to send unsolicited responses is (&RelayState=https://ordbog.gyldendal.dk/login.ashx)

Please change the URL parts so they fit your needs.

WAYF – Where Are You From
Asmussens Allé, bygning 305
2800 Kgs. Lyngby


You are here