JA T3 Framework

Fast. Flexible. Powerful


Metadata update

Visse SP'er mangler attributter efter installation af WAYFs nye metadata

There are no translations available.

Det er en kendt fejl ved WAYFs hidtidige setup (svarende til WAYFs gamle metadata) at hver attributværdi optræder hele to gange i login-svaret til rigtigt mange af SP'erne: én gang med attributtens navn i det såkaldte basic name-format (fx schacPersonalUniqueID) og én gang med attributtens tilsvarende navn i URI-formatet (fx urn:oid: De SP'er som får sådanne login-svar fra WAYFs gamle setup, er: dem for hvilke der inde i JANUS ikke er angivet noget specifikt navneformat (AttributeNameFormat).

WAYFs nye setup (svarende til WAYFs nye metadata) leverer altid kun hver attributværdi i ét navneformat: i URI-formatet hvis dét er angivet for den modtagende SP inde i JANUS – ellers i basic name. SP'er som ikke har specificeret noget navneformat inde i JANUS, men som til trods forudsætter at attributterne leveres i URI-formatet, vil derfor ikke længere modtage de forventede attributter når de indlæser WAYFs nye metadata (som peger på WAYFs nye setup). Berørte tjenesteudbydere kan let løse problemet – ved at sætte AttributeNameFormat til uri inde i JANUS. Repetér evt. (nederste afsnit af) JANUS-quick quide'en.

WAYFs kontrakter med tjenesteudbyderne angiver kun de aftalte attributter i basic name-formatet; og som tjenesteudbyder kan man ikke forudsætte at ens tjeneste får leveret attributværdierne i URI-formatet medmindre man har angivet inde i JANUS at dét skal ske. Applikationer som forudsætter attributleverance i URI-formatet uden specifikation inde i JANUS, forlader sig på udokumenteret funktionalitet i WAYFs gamle setup.

Tip til skift af metadata i en ADFS sat op som claims provider mod WAYF

There are no translations available.

Inden man indlæser WAYFs nye metadata i sin ADFS, skal man have styr på følgende:

  • ADFS'ens setting SignedSamlRequestsRequired skal være sat til false.
  • Inde i JANUS skal flagene redirect.sign og redirect.validate være sat til false.
  • Hvis man importerer WAYFs metadata­signerings­certifikat (se nederst her) i sin keystore, skal man muligvis sørge for at ADFS'en ikke kontrollerer det certifikats chain eller root.

Third notification e-mail on the metadata update

Dear WAYF contact,

Over the past weeks WAYF has sent a number of notification e-mails that services and institutions connected to WAYF will have to update metadata in their WAYF servers in May of 2016.

The new WAYF metadata have now been published at https://metadata.wayf.dk/wayf-metadata.xml and are already operational with WAYF. The old metadata will remain operational up until and including May 30, 2016. Your organisation thus has 19 days, starting today, to update WAYF metadata in your SAML2 server. If you do not take any action, your WAYF connection will cease to function on May 31, 2016.

You must consult the manual for your SAML2 software to learn how to update metadata with your particular SAML2 product. WAYF cannot offer any assistance for particular SAML2 products, but merely give you the following, rather abstract guidance:

If your SAML2 software supports updating its metadata from a URL, all you have to do is entering https://metadata.wayf.dk/wayf-metadata.xml in the right place in the configuration of your SAML2 platform – and perhaps activate an import function.

If your WAYF server's SAML2 software does not support URL-based metadata updating, then you can, alternatively, download the file at https://metadata.wayf.dk/wayf-metadata.xml, and manually copy the metadata XML from there into the right place in the configuration of your SAML2 software. Please note that browsers often alter XML contents when displaying XML documents.

Certain SAML2 implementations do not at all support reading XML-based metadata but instead use a special format of their own. If your WAYF server uses such a SAML2 implementation, you will have to extract manually certain values from WAYF's new metadata and insert them in the right places in your SAML2 software's configuration. Services (i.e., SPs) will need to be fed at least the signing certificate (the value of the ds:X509Certificate element within the md:IDPSSODescriptor) and the SSO URL (the value of Location in the md:SingleSignOnService element).

Be sure to be able to roll back in case you fail to get the new WAYF metadata working initially. The old metadata will remain operational until May 30, 2016, including that day.

For institutions in particular – IMPORTANT: If your WAYF server is currently configured to validate signatures on login requests received from WAYF, it is crucially important that you switch off this signature validation in your local configuration prior to installing WAYF's new metadata. If your server expects requests from WAYF to be signed, it won't work with WAYF's new metadata.

Signed metadata: Please note that WAYF signs its metadata feeds using the private key corresponding to the certificate published here. Applying that certificate's public key you will thus be able to verify that WAYF is indeed the issuer of the metadata at https://metadata.wayf.dk/wayf-metadata.xml.

Best regards,
WAYF Secretariat

E-mail notifying of metadata update postponement

Dear WAYF contact,

WAYF postpones the publishing and putting into operation of new metadata, originally scheduled to happen today. We expect to be ready on Wednesday, May 11 instead. All service and identity providers will receive a notification e-mail as soon as the new WAYF metadata are available.

Follow updates on WAYF's May, 2016 metadata update here, with RSS version here.

Best regards,
WAYF Secretariat

Notification e-mail: BIRK feed to be signed with a different key

Dear WAYF Service Provider,

You receive this e-mail because WAYF has you registered as a technical contact for a SAML2 SP service connected to WAYF - Where Are You From, the Danish e-identity federation for research and higher education.

WAYF wants to notify you of a change in its technical setup that might require minor modification in the setup of your own SAML2 SP server:

If your SAML2 SP server regularly reads the IdP feed located at https://metadata.wayf.dk/birk-idp.xml, and upon reading that feed checks the signature of this XML document against WAYF's metadata signing certificate, you will need to begin using a different metadata signing certificate from WAYF against which to validate the signature. The new signing certificate will be released here. WAYF will begin signing the feed at https://metadata.wayf.dk/birk-idp.xml with the new certificate at 8:00 UTC on Wednesday, May 4, 2016.

If your SAML2 SP connecting to WAYF does not read the feed at https://metadata.wayf.dk/birk-idp.xml, you can safely ignore this notification e-mail.

Best regards,
WAYF Secretariat

Second notification e-mail on the metadata change

Regarding update of WAYF metadata, as announced on April 20th, 2016.

 Recently WAYF introduced a new system for handling and protecting crypto keys. New keys have been generated for signing WAYF’s SAML traffic which is the reason why everyone connected to WAYF must now update their local WAYF systems.

The task is to update your local WAYF systems with new SAML metadata for WAYF, which describes at a technical level the connection to WAYF, including crypto keys.

During a 21 day sunset period in May you can change your local configuration at a time you find convenient. Both the old and the new metadata will work during this time.

It should be noted that the change in question is a configuration change, not a system update or change in code of running systems. You must change the url pointing to WAYF’s metadata, to point to the new address.

To be able to verify the cryptographic signature on the new metadata, you will also have to update the certificate WAYF uses to sign its metadata. That certificate will be e-mailed to you when the new metadata url is announced on May 9, 2016.

From this time on, WAYF will recommend that local WAYF systems automatically update SAML metadata for WAYF every six hours. This may be seen as part of a disaster recovery plan in which rebuild and distribution of new metadata is a solution. If done automatically, the task will be less burdensome. It can be argued to be an overly precaucious approach, but we reckon it is easier to suggest this change at this time, as all have to make changes anyway.

Alternatively you may copy-paste the metadata manually from WAYF’s metadata url to your local WAYF configuration. We don’t recommend that, however, as that would require manual intervention in emergency scenarios.

Important dates:

  • May 9th, 2016, 9:00 CET: New WAYF SAML metadata is made public and put into operation, will run in parallel with the old metadata until May 30th 10:00 CET.
  • May 30th, 2016, 9:00 CET: Old WAYF metadata no longer operational. WAYF-based login will no longer work if the systems have not been updated.

We include the following collection of links relating to updating metadata with common SAML2 implementations, for your inspiration:

Best regards,
WAYF Secretariat

First notification e-mail on the metadata change

To whom it may concern, regarding your technical connection to WAYF - Where Are you From.

(If you find someone else in your organisation is a more suitable receiver of this correspondence, please send name, email and phone number to This e-mail address is being protected from spambots. You need JavaScript enabled to view it )

This is a notification about coming technical changes to the technical connection to WAYF, which will affect all connected web-based services as well as connected institutions.

A detailed description of what needs to changed will follow in the coming week. The purpose of this email is to notify you, so you can allocate ressources for change management in the near future.

The changes must be applied during the time from May 9th to May 30th 2016.

The background for the changes is WAYF’s introduction of a hardware security module (HSM) for handling cryptographic keys. The HSM system is already running, using the old keys, which must now be changed.

This implies that all connected services and institutions must update the SAML metadata about WAYF, in order to ‘move’ to the new setup with the new keys.

We take the opportunity to inform you that WAYF will stop checking the signature of SAML authentication requests, to align better with international practices - without lowering the security of the connected services.

WAYF will also remove the double-signing of both SAML assertions and responses: only the responses will be signed.

Of due diligence we inform you that WAYF has no formal responsibility of your local SAML implementations e.g. simpleSAMLphp or ADFS. This being said, we will do our best to make the process as smooth as possible. Please send inquiries related to metadata update to: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Kind regards

David Simonsen
Head of WAYF - Where Are You From

WAYF to replace signing certificate in 2016

In May of 2016 WAYF will replace the private key it uses for signing SAML data transmitted to services and institutions connected to the federation.

This will require action on the part of services and institutions: They will have to integrate the new signing certificate into their WAYF setups.

On this page and pages linked to from it, WAYF will runningly inform technicians responsible for WAYF at services and institutions of how to relate to the certificate replacement. We will publish tips, tricks and guides based on our experience from WAYF's latest signing certificate replacement back in 2012.

In addition to publishing all relevant information here, WAYF will also notify its service providers and institutions through e-mail, in time.

The reason why the certificate will not, as previously planned, be replaced in 2017, but already in 2016, is that WAYF has this spring integrated into its setup a hardware security module (HSM) as a signing component — and on that occasion produced a new RSA key pair and issued a corresponding new certificate — which WAYF will put into operation in May. In the future, all signing of SAML2 data at WAYF will be done within the HSM. This is where the new private key is generated and located, and it is physically impossible for it to be exposed — in contradistinction to a private key located in a server.

WAYF – Where Are You From
Asmussens Allé, Building 305
DK-2800 Lyngby


You are here: