Seitenhistorie
Service Providers should implement IdP discovery need to provide IDP Discovery, i.e., allowing subjects to choose their Identity Provider from all available/desirable ones, the Identity Provider they want to log in with. Ideally that's done by integrating it within their application. See , see the REFEDS Discovery Guide for details on why and how.
ACOnet currently recommends using one of these available Free/Libre software projects, which can be integrated with most any software or website:
- Shibboleth EDS
- DiscoJuice
- (HTML/JS- only, fully stand-alone, requires a set of IDPs in JSON format as produced by the Shibboleth SP software)
- SWITCHwayf (PHP server software; its "embedded" integration method is HTML/JS-only but still requires a full SWITCHwayf instance elsewhere, though ACOnet provides one such instance)
- Seamless Access (an external service not operated by ACOnet) provides several integration methods ("flavors") and may already be known to some/many of your service's users from other services' reliance on Seamless Access.
- Note that the button from the so-called "Standard" integration method will never remember selected IDPs (and therefore has a worse UX than any of the alternatives) if the web browser blocks third-party cookies (as all browsers should, to protect their users' privacy from pervasive web surveillance). That's a bit unfortunate since SeamlessAccess only stores your recently used IDPs in your web browser's local storage. But it's the attempted access to those locally remembered IDP selections from/across multiple web sites (i.e., the web sites embedding the SeamlessAccess button/code) that requires cross-site access to your local storage and therefore triggers the browser's privacy protection (if enabled). This integration method will therefore likely be collateral damage once more web browsers will block more kinds of cross-site access to cookies and local storage.
- The issue mentioned above is actively being worked on. And until then it only takes a single click on the "Access through your institution" button to take the subject to the Seamless Access site where previously used IDPs are presented (and can be added/removed) and logging in to an IDP can be initiated with another single click. So at least in this case the "fallout" seems rather limited.
| Panel | ||
|---|---|---|
| ||
See SAML Demo SP, section "IDP Discovery Services" for demonstrations of the suggested IDP Discovery Services on the eduID.at Demo SP web site. |
Contact ACOnet for questions with regard to integrating IDP discovery into your eduID.at Service Provider. Contact ACOnet for help with integrating one of these implementations into your website.
Fallback discovery services
If all else fails you can make use of one of the central "fallback" discovery interfaces provided by ACOnet.
The SWITCHwayf software software may be more familiar to subjects from ACOnet participant institutions since an older version had versions of that have been in use at https://wayf.aco.net/ since at since 2007. This software still works (without its more dynamic features) when JavaScript is disabled in the web browser (though not much else on the web will work in such a setup):
| Info | ||||
|---|---|---|---|---|
| ||||
|
| Info | ||||
|---|---|---|---|---|
| ||||
|
The DiscoJuice software has a more unusual look and feel but also provides additional features such as grouping (and limiting) IdPs by country or sorting suggested IdPs based on their distance via geolocation of the web browser. This DiscoJuice instance does not currently work when JavaScript is disabled:
| Info | ||||
|---|---|---|---|---|
| ||||
...
| icon | false |
|---|---|
| title | DiscoJuice with ACOnet-registered IdPs plus Interfederation IdPs |
...
An alternative external fallback IDP discovery service is the SeamlessAccess one, when used with their "Limited" integration method. (Though you can use their other integration methods, too, of course.)
Überblick
Inhalte
Aufgabenbericht