JA T3 Framework

Fast. Flexible. Powerful


How to enter metadata into JANUS, for Service Providers

What is metadata?

Metadata is information about your SAML2 SP that WAYF needs to know to be able to communicate with it: login URLs, contact details, the name of the web service, its purpose description, logotype etc. This information must be entered — and maintained — in an entry for your SAML2 SP in WAYF's metadata registry, “JANUS”.

Logging into JANUS

Go to https://janus.wayf.dk and create a user account — by entering your e-mail address in the field below New accoount, then clicking Send. You will then receive an e-mail with a login token. A good practice is to create a dedicated e-mail address for use with JANUS — and make it readable to any member of your organisation that needs JANUS access — so that future access to your organisation's JANUS metadata won't be limited to you personally. Click the login link in the e-mail, then click the Create button on the resulting browser page. Click Dashboard in the window then appearing and then on the Connections tab.

Once the user account has been created, you can log into it by entering the same e-mail address below Login and clicking Send. Click that of your entries that you want to inspect or edit.

Create metadata entry

On the Connections tab click Create connection to create your SAML2 SP's metadata entry. Then choose SAML 2.0 SP in the Select type box. At Enter new connection ID: you must specify the so-called entity ID — the SAML2 name for your SAML2 SP. This string typically is either a URL or a URN and must appear from your SAML2 server's configuration. The entity ID must correspond to a registered namespace (e.g., a DNS domain) controlled by you. Click Create when you have entered the entity ID.

Insert SSO endpoint

On the resulting screen now choose the Metadata tab. The AssertionConsumerService:0:Location field must be filled in with your SAML2 SP's so-called login endpoint: the URL where your SAML2 SP will receive login responses from WAYF. The correct value must appear from your SAML2 SP's configuration or documentation. If your SAML2 SP has several login URLs, the one corresponding to the HTTP-POST binding must be entered. And the URL must start with https:, not with http:. Implying that your SAML2 SP must run on a HTTPS-enabled server.

Fill in the text fields

The fields name, description must be filled with the official name of your web service and the purpose description agreed for it in the service provider contract, respectively. The purpose description will be displayed for the user in the consent diaogue, together with (the values of) those attributes trasnferred to your web service if he consents. The WAYF Secretariat assures that these string values are correctly filled in before the connection enters WAYF's production environment.

Insert logotype

Your SAML2 SP's metadata must feature the service provider's logotype in one of the formats JPEG, PNG, or GIF. The picture must be maximum 100 pixels high and 250 pixels wide. Click Select and choose icon — and then upload the graphics file through Choose file.

Finishing up

Uncheck the fields redirect.sign, redirect.validate. Place a syntactically valid, base64-encoded X509 certificate in the certData field — for syntactical reasons, not because WAYF will actually use it for anything (cf. WAYF's signing policy here). You could use a certificate from WAYF's own metadata — or perhaps your server's HTTPS certificate.

Other metadata

You don't need to fill in other metadata fields than those described above, though that can be useful in some situations. For instance, if your SAML2 SP supports logout, you can add a logout endpoint (only with the HTTP-Redirect binding). You can also add contact details, in the contacts:n:... fields. Or you can specify that your SAML2 SP wants to receive the agreed-on attribute values in the URI name format (in the AttributeNameFormat field). You enable these extra metadata fields by clicking the green plus sign located below the fields already shown. The need for enabling additional metadata fields can be clarified in cooperation with the WAYF Secretariat.

From Test to Production

Once the required metadata have been registered for your SAML2 SP and saved (by your clicking Save), WAYF's testing environment will, in a matter of few minutes, recognise your SAML2 SP and be able to communicate with it. If you install the metadata for WAYF's testing environment in your SAML2 SP, then, you will be able to test the connection in WAYF's testing environment. When the login flow works there and the service provider contract has been signed, it is time to promote your SAML2 SP's JANUS entry to WAYF's production environment. You request promotion of your connection into WAYF's production system by selecting the state QA Pending (then clicking Save) on the Connection tab. When WAYF has put the entry into production, your SAML2 SP will be able to communicate with WAYF's production server — provided that you have in advance installed metadata for WAYF's production environment in your SAML2 SP.

Editing metadata in production

If at some point you need to edit your metadata following their promotion into the production environment, you will, on the Connection tab, have to put your connection entry into the Test state (remember to click Save). Put the entry into QA Pending again when you have finished editing. Metadata are editable only when then entry is in the Test state.

WAYF – Where Are You From
Asmussens Allé, Building 305
DK-2800 Lyngby


You are here: