Self-service in JANUS (Joint Administration Net-based User Self-service)

Once the SAML2 software has been installed by the service provider he should register as a user at WAYF's self-service portal, JANUS. The manual will soon be available as a PDF. One registers a mail address and then receives an e-mailed access token. In the self-service portal it is now possible to register the metadata for the service. Once the metadata have been registered in the portal, they are recognised by WAYF's test environment within five minutes. As a service provider one must register the metadata for WAYF as an IdP where the SAML2 software expects it.

WAYF would like to get feedback on what could be enhanced in the self-service portal.

The below flow diagram depicts the series of well-defined states passed through by the nascent WAYF connection during development:

Attribute Release Policy (ARP)

See a table of the Attribute Release Profiles for the services connected to WAYF.

WAYF's attribute profiles

Normal profile

• schacHomeOrganization
• eduPersonTargetedID (persistent pseudonymous userID at service)

Extended profile I

• schacHomeOrganization
• eduPersonTargetedID (persistent pseudonymous userID at service)
• eduPersonPrimaryAffiliation

Extended profile II

• schacHomeOrganization
• eduPersonTargetedID (persistent pseudonymous userID at service)
• eduPersonPrimaryAffiliation
• SurName
• GivenName
• CommonName

Extended profile III

• schacHomeOrganization
• eduPersonTargetedID (persistent pseudonymous userID at service)
• eduPersonPrimaryAffiliation
• SurName
• GivenName
• CommonName
• mail

Metadata

If you are a service provider in need of WAYF metadata, these can be downloaded below. In this context WAYF acts as your identity provider.

The WAYF metadata may only be used for connecting to WAYF, and at your own risk. Any other usage must be approved by the WAYF Secretariat.

Production system metadata

• SAML 2 metadata for WAYF as identity provider
• Shibboleth 1.3 metadata for WAYF as identity provider

Quality Assurance (QA) system metadata

• SAML 2 metadata for WAYF as identity provider

Test system metadata

• SAML 2 metadata for WAYF as identity provider

Choosing the IdP directly at the service

WAYF offers two different kinds of support for this functionality. The one is scoping, available with SAML 2 connections; the other is WAYF's specially developed proxy for institutions, BIRK (Bridged Interface for Remotely Keyed IdPs), compatible with Shibboleth versions newer than 1.3 as well as with SAML 2.

Certificates

How-tos

We've written some how-tos, and will link to other relevant documentation:

• How to become a service provider in the WAYF identity federation (pdf-format)
• How to describe 'the purpose of the service'

And besides the above how-tos we've collected some tip-offs:

• 2008_11_28_how_to_connect_service_providers_to_wayf.pdf (pdf-format)
• How to base64 encode attributes
• How to convert pfx certificate to pem format
• Use of OIOSAML.Net class in the WAYF federation
• How to connect EZproxy to SimpleSAMLphp using SAML2
• Typo3 SAML2 module