beware of wayfless urls

Wed, Aug 12, 2009

WAYFless URLs are great. They let you bypass the WAYF monster and go straight to your IdP and then to your chosen electronic resource but you have to be aware that they can break without warning. There are two types of WAYFless URL. Managed and Unmanaged. A Managed WAYFless URL is provided by the Service Provider and works entirely on their domain:

https://supplier.com/shibboleth?idp=uni.ac.uk
this type of URL will direct you straight to your IdP. An Unmanaged URL looks like this:
https://uni.ac.uk/shibboleth/sso?SHIRE=https://supplier.com/blah/&
It’s a URL that points directly to your own IdP and is basically the IdP bookmarked as any other web page, with the inclusion of the shibboleth params, the most important being “shire” as we’ll see in a minute. Managed URLs generate Unmanaged URLs but they are temporary and are not meant to be bookmarked. The problems start when you use Unmanaged URLs “provided” by a supplier. I’m tempted to call them Lazy URLs as the supplier is not bothered about providing a Managed URL for you to use. They just tell you to bookmark the IdP page you get after choosing your institution from the WAYF.

This is all fine and dandy until the supplier decides they want to update their metadata in the federation. This happened the other day and broke a supplier’s Unmanaged URL. We had this Lazy URL:

https://guanxi.uhi.ac.uk/idp/SSO? … SHIRE=https://supplier.com/shibboleth/
it worked fine for a while until they updated their metadata and their AssertionConsumerService changed. This is the SHIRE URL expressed in metadata and the Shibboleth spec states:

“3.1.1.3 Processing Rules …the identity provider MUST have some means to establish that the assertion consumer service endpoint in the shire parameter is in fact associated with the requesting service provider…”

Our IdP does this by matching the SHIRE param against the list of AssertionConsumerService elements in the supplier’s metadata. In this case the lookup failed as they’d updated their metadata by removing that SHIRE and replacing it with the new one:

https://guanxi.uhi.ac.uk/idp/SSO?
  … SHIRE=https://supplier.com/shibboleth/SAML/POST/
so our IdP failed to trust them. That new SHIRE looks to me like a backend upgrade to a later version of the software. That’s tight coupling if ever I saw it.

So if your supplier just tells you to bookmark your IdP login page, point out the pitfalls then ask them to give you a Managed WAYFless URL.

comments powered by Disqus