New WAYF User Interface (technical details)
Posted on Wednesday, 29 June 2011
This announcement describes improvements to the UK federation's central discovery service (WAYF) which will take effect from 15-August-2011, and suggests additional information you may wish to add to the metadata for your entities in order to maximise the benefits that users will receive from these changes.
New Central Discovery Service Interface
The UK federation's central discovery service was given an improved user interface in December 2010, based on the initial results of the JISC Service Provider Interface Study and other user experience testing. This second-generation interface was produced as the first step in a program of improvement work involving a cross-sector group of experts led by JANET(UK). Further work by that group has resulted in a further refined user experience for the UK federation's central discovery service, which will be put into service on Monday, 15-August-2011.
As well as incorporating incremental search and other elements from the second-generation service deployed last December, the third-generation interface includes a number of additional changes:
- Fewer decorative graphical elements are used: eye-tracking studies show that the presence of these in the original design distracted many users.
- Help information is available directly from the discovery service; this includes specific assistance for users in the schools sector, based on geographic area.
- The service now takes advantage of user interface metadata to provide a more seamless flow through the discovery service. Graphical and textual information about the service provider are shown in the discovery service, and the same information may also be shown for each previously selected identity provider. These act as contextual hints to users, confirming that they are "on the right track" in visiting the discovery service.
You can preview the new user interface through the test service provider at the following location:
https://sh2testsp1.iay.org.uk/
User Interface Metadata
The third-generation discovery service makes use of the metadata extensions defined in the OASIS specification "SAML V2.0 Metadata Extensions for Login and Discovery User Interface Version 1.2". You can find the current draft of the specification here:
http://wiki.oasis-open.org/security/SAML2MetadataUI
This extension to the SAML metadata standard allows entity metadata to include, among other things, descriptive text and graphical elements to assist in the discovery and login process. It is being adopted by several federations world-wide, as well as in multiple software implementations including the latest versions of the Shibboleth identity provider, service provider and discovery service software and the simpleSAMLphp discovery service.
This metadata extension has been on trial within the UK federation for some months, and we now recommend that entity owners register appropriate extensions for each of their entities.
The full UK federation recommendations on MDUI extensions can be found here:
http://www.ukfederation.org.uk/content/Documents/MDUIRecommendations
Special Notes for Identity Providers
No changes to identity provider configurations are required by the deployment of the new central discovery service. If you are running the Shibboleth identity provider, however, you should upgrade to the latest version so that you have access to the ability to use MDUI metadata extensions as part of the user interface on your login page.
Once you have submitted MDUI extensions for your entity to the UK federation, you can preview the results through the test service provider as described above.
Special Notes for Service Providers
Correctly configured service providers should not require configuration changes in order to be compatible with the new central discovery service. We are aware, however, that some service providers may not currently be configured to use the supported central discovery service locations; this may cause the wrong user interface to be presented.
If your service provider is configured to use the central discovery service as a WAYF (using the Shibboleth authentication request protocol) then your "WAYF URL" should be set as specified in the Technical Recommendations for Participants as follows:
https://wayf.ukfederation.org.uk/WAYF
The following additional location is permitted as described in the Technical Recommendations for Participants, but no longer provides access to a less restricted list of identity providers as that functionality is part of the new user interface:
https://wayf.ukfederation.org.uk/all.wayf
If your service provider is configured to use the central discovery service as a SAML 2.0 discovery service, the following URL should be used:
https://wayf.ukfederation.org.uk/DS
If your service provider has been configured to use some other WAYF URL, it may fail to operate correctly after the third generation discovery service comes into use.
Once you have submitted MDUI extensions for your entity to the UK federation, you can preview the results by proceeding to the central discovery service in the normal way, then modifying the URL in your browser's location bar. If your service provider is configured correctly, you should see:
https://wayf.ukfederation.org.uk/DS001/uk.ds?shire=...
Replace DS001 with DS002 to preview the results in the new discovery service. DO NOT configure URLs determined in this way into your service provider; they are not supported for long term use.
Alternatively, you may temporarily configure your service provider to use the following WAYF URL in place of the standard one:
https://wayf.ukfederation.org.uk/WAYF-test
Or, for the SAML 2.0 discovery protocol:
https://wayf.ukfederation.org.uk/DS-test
We strongly recommend against the use of the test endpoints on production services.
More Information
Please contact the UK federation helpdesk (service at ukfederation.org.uk) if you have any additional questions about these items.
Edited by SteveGlover on 29 June 2011, at 03:57 PM