What is BIRK?
BIRK (Bridged Interface for Remotely Keyed IdPs) is a proxy for all institutions connected to WAYF. BIRK operates by means of SAML2, like the central WAYF setup. BIRK exposes one unique end point for each institution connected, making it possible to connect directly to each institution without the users' having to go through WAYF's discovery service ("the WAYF"). BIRK internally works by a request's being made to WAYF by use of scoping, causing the choice of institution to be made on the service side. This has the same functionality as using scoping directly through WAYF. Read more about scoping here.
Utility for Service Providers
One reason for a service to choose a BIRK setup might be the wish for the service's user to avoid WAYF's discovery service and be referred directly to his identity provider. A service might also take advantage of BIRK in constructing a discovery service of its own. If for instance the service has only four customers among all of WAYF's identity providers, it might be desirable to establish a local discovery service exposing only these four IdPs. The user now will see, and have to choose from among, only those four institutions, and will upon selection be referred directly to the log-in page of the one chosen.
Utility for Identity Providers
When a service chooses to use either BIRK or scoping, this benefits identity providers by allowing them to discover from what service a user was referred. The identity provider can choose to utilise this information, e.g. to maintain statistics over the use of the service in question. Identity providers' attention, however, is drawn to the fact that this information is not available with services employing a regular WAYF setup.
Where are the metadata?
See the technical documentation for BIRK.How often must metadata be updated?
See the technical documentation for BIRK.
Link to SSP description of meta-refresh function
It is among the prerequisites for using BIRK that the SAML2 software used by the service to connect to WAYF supports automated updating of metadata. With new identity providers admitted to WAYF all the time, services utilising BIRK have to update their metadata runningly. In the case of SimpleSAMLphp, a module for automated metadata updating is included — see documentation here. WAYF strongly recommends updating to the newest version of this software if automated metadata updating with SimpleSAMLphp is desired.
Can be used with an ADFSv2 setup
Some services have experienced problems with ADFSv2 when using SAML2 authentication request scoping elements (IdP choice at the SP side). ADFSv2 does not support SAML2 scoping.
WAYF has changed the handling of SAML2 scoping elements so that they are no longer conveyed to the IdP side, even though an authentication request is issued. This behaviour is not in accordance with the SAML2 specifiation but is seen as a necessary 'tweak' to allow ADFSv2 IdPs to function properly.
As soon as ADFSv2 supports SAML2 scoping elements, WAYF will return to the behaviour described in the specification.