Using the WAYF protocol with the UK federation Central Discovery Service is deprecated

Posted on Friday, 23 June 2017

This is formal notice that UK federation Central Discovery Service (CDS) support for the WAYF protocol is now deprecated. The WAYF protocol's limitations are sufficient that, since 2012, we have not recommended its use for new service provider deployments. Service Providers which use the WAYF protocol with our Central Discovery Service force Identity Providers to use the legacy SAML 1 protocol, and we no longer wish to facilitate the use of SAML 1. Our CDS will continue to support the Identity Provider Discovery Service (DS) Protocol [1], which supports both SAML 2 and SAML 1 operations.

There is no timescale set for removal of the WAYF protocol. However, we reserve the right to remove support with 3 months notice. When we decide to cease supporting the WAYF protocol, we shall inform all registered technical and administrative contacts through our distribution mailing list.

If your Service Provider SAML software supports the DS protocol and your Service Provider application does not implicitly require SAML 1 (for example, it does not require the legacy scoped form of eduPersonTargetedID) then it is likely that your SP can simply migrate to DS protocol usage. Nevertheless, you should work with your Identity Provider customers to determine whether they can support the appropriate SAML 2 versions of attributes.

If your Service Provider software does not support the DS protocol, you will not be able to continue to use the UK federation CDS, and you must find another discovery solution.

We will be contacting Service Provider operators which use the WAYF protocol to discuss plans for migration, and to provide assistance during that migration.

[1] Identity Provider Discovery Service Protocol http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf

Edited by AlexStuart on 10 October 2017, at 10:53 AM (Permalink)