Seitenhistorie
Service Providers need to implement provide IDP discoveryDiscovery, i.e., allowing subjects to choose the the Identity Provider they want to log in with. Ideally that's done by integrating it within their application, see the REFEDS Discovery Guide for details.
ACOnet currently recommends using one of these Free/Libre software projects, which can be integrated with most any software or website:
- Shibboleth EDS (HTML/JS- only, fully stand-alone, easiest when also using requires a set of IDPs in JSON format as produced by the Shibboleth SP software software)
- SWITCHwayf (PHP server software; its "embedded" integration method via is HTML/JS-only but still requires a full SWITCHwayf instance elsewhere, though ACOnet provides one such instance)The "Standard" integration method with the SeamlessAccess service (HTML/JS-only integration with
- Seamless Access (an external service not provided operated by ACOnet) provides several integration methods ("flavors") and may already be known to some/many of your service's users from other services' reliance on Seamless Access.
- Note that the button from the so-called "Standard" integration method – arguably SeamlessAccess' main achievement – never remembers will never remember selected IDPs (and therefore has a worse UX than any of the existing alternatives) when if the web browser blocks blocks third-party cookies (as all browsers should, to protect their users' privacy from pervasive web surveillance). That's a bit unfortunate since SeamlessAccess doesn't do anything nefarious with its cross-site access: It merely helps your web browser to locally remember previously selected IDPs across all the services you may be using. But what some code blocked from execution would do if it were not blocked cannot factor into the browser's decision and so SeamlessAccess becomes a victim of (otherwise sensible and recommendable) privacy protection measuresonly stores your recently used IDPs in your web browser's local storage. But it's the attempted access to those locally remembered IDP selections from/across multiple web sites (i.e., the web sites embedding the SeamlessAccess button/code) that requires cross-site access to your local storage and therefore triggers the browser's privacy protection (if enabled). This integration method will therefore likely be collateral damage once more web browsers will block more kinds of cross-site access to cookies and local storage.
- The issue mentioned above is actively being worked on. And until then it only takes a single click on the "Access through your institution" button to take the subject to the Seamless Access site where previously used IDPs are presented (and can be added/removed) and logging in to an IDP can be initiated with another single click. So at least in this case the "fallout" seems rather limited.
| Panel | ||
|---|---|---|
| ||
See SAML Demo SP, section "IDP Discovery Services" for descriptions demonstrations of the several methods demonstrated by suggested IDP Discovery Services on the eduID.at Demo SP web site. |
Contact ACOnet for questions with regard to integrating IDP discovery into your eduID.at Service Provider.
...
If all else fails you can make use of one of the central "fallback" discovery interfaces provided by ACOnet.
The SWITCHwayf software software may be more familiar to subjects from ACOnet participant institutions since versions of that have been in use at since at since 2007. This software still works (without its more dynamic features) when JavaScript is disabled in the web browser (though not much else on the web will work in such a setup):
| Info | ||||
|---|---|---|---|---|
| ||||
|
| Info | ||||
|---|---|---|---|---|
| ||||
|
An alternative external fallback IDP discovery service is the SeamlessAccess one, when used with their "Limited" integration method. (Though you can use their other integration methods, too, of course.)
Überblick
Inhalte
Aufgabenbericht