The WAYF system consists of a central server communicating with two kinds of systems: identity providers and service providers. Identity providers supply information about their users to service providers through the WAYF server:
From Identity Provider to Service Provider through WAYF
The data exchange proceeds like this, from when a user attempts to enter a service until access is granted to him:
- The user enters the service provider's website and is referred to that of WAYF.
- At WAYF's website the user selects the identity provider with which to log in.
- The user is taken to log-in at either the identity provider's website or a web page run by WAYF on behalf of the identity provider. The user enters his user name and password.
- With the user logged in, WAYF fetches all information about the User from the identity provider's user account database through LDAP (Lightweight Directory Access Protocol) or SAML 2 (Security Assertion Markup Language version 2).
- Back at WAYF's website the information is now presented to the user that WAYF intends to supply to the service. The user has to give his consent for the information to be transferred. By the same occasion the user can have WAYF store the his consent, and thereby avoid having to re-give it when accessing the service through WAYF in the future.
- With the user's consent given, the selected user information is sent to the service provider through SAML 2, or through the alternative standard of Shibboleth 1.3. A filter has been set up for each service provider making sure that only relevant information is transferred to the service in question.
- The user is then taken to the website of the service. Here access is granted to the user if the information received by the service provider is persuasive to him.