Service Providers need to provide IDP Discovery, i.e., allowing subjects to choose the Identity Provider they want to log in with. Ideally that's done by integrating it within their application, see the REFEDS Discovery Guide for details.

ACOnet currently recommends using one of these Free/Libre software projects, which can be integrated with most any software or website:

  • Shibboleth EDS (HTML/JS- only, fully stand-alone, requires a set of IDPs in JSON format as produced by the Shibboleth SP software)
  • SWITCHwayf (PHP server software; its "embedded" integration method is HTML/JS-only but still requires a full SWITCHwayf instance elsewhere, though ACOnet provides one such instance)
  • Seamless Access (an external service not operated by ACOnet) provides several integration methods ("flavors") and may already be known to some/many of your service's users from other services' reliance on Seamless Access.
    • Note that the button from the so-called "Standard" integration method will never remember selected IDPs (and therefore has a worse UX than any of the alternatives) if the web browser blocks third-party cookies (as all browsers should, to protect their users' privacy from pervasive web surveillance). That's a bit unfortunate since SeamlessAccess only stores your recently used IDPs in your web browser's local storage. But it's the attempted access to those locally remembered IDP selections from/across multiple web sites (i.e., the web sites embedding the SeamlessAccess button/code) that requires cross-site access to your local storage and therefore triggers the browser's privacy protection (if enabled). This integration method will therefore likely be collateral damage once more web browsers will block more kinds of cross-site access to cookies and local storage.
    • The issue mentioned above is actively being worked on. And until then it only takes a single click on the "Access through your institution" button to take the subject to the Seamless Access site where previously used IDPs are presented (and can be added/removed) and logging in to an IDP can be initiated with another single click. So at least in this case the "fallout" seems rather limited.


Embedded IDP Discovery Demo

See SAML Demo SP, section "IDP Discovery Services" for demonstrations of the suggested IDP Discovery Services on the eduID.at Demo SP web site.

Contact ACOnet for questions with regard to integrating IDP discovery into your eduID.at Service Provider. 

Fallback discovery services

If all else fails you can make use of one of the central "fallback" discovery interfaces provided by ACOnet.

The SWITCHwayf software may be familiar to subjects from ACOnet participant institutions since versions of that have been in use at since 2007. This software still works (without its more dynamic features) when JavaScript is disabled in the web browser (though not much else on the web will work in such a setup):

SWITCHwayf with ACOnet-registered IDPs

https://eduid.at/ds/wayf/

SWITCHwayf with ACOnet-registered IDPs plus Interfederation IDPs

https://eduid.at/ds/wayf/interfed/

An alternative external fallback IDP discovery service is the SeamlessAccess one, when used with their "Limited" integration method. (Though you can use their other integration methods, too, of course.)

  • Keine Stichwörter