Why connect the institution to WAYF?
- The institution's students and employees will have access to a number of much requested external information services.
- The institution won't have to adapt the hook-up technology to the various information services – once the connection to WAYF is in place access to all the services that WAYF communicates with is granted automatically.
- Subscriptions for e.g. journal databases may become cheaper because the subscription can be limited to the users in the institution who actually need it.
How much does it cost?
Each member institution must pay a fee corresponding to 0.102 per mille of its annual operating costs as defined in the institution's newest annual report.
How to get connected to WAYF
Through a connection to WAYF, your users get access to a number of external services using the existing login-instrastructure already in place.
Are your users in WAYF's target group?
In order to get connected to WAYF the institution you represent has to be part of the higher education and research communities in Denmark. The WAYF secretariat can assist you in deciding whether your institution is part of the target group. Which user data should be exchanged with WAYF? You need to find out whether your institution's user registry is able to provide the user information (attributes), that WAYF may transfer to the services. The institution should be able to provide the following information as a minimum:
- First name
- Last name
- User ID at the home organisation
- Email address
- The user's primary affiliation with the home organisation
- Institution ID
- Level of Assurance
Entering a formal agreement regarding connection
A formal agreement should be entered concerning the connection of the institution to WAYF. The contract here must be signed and sent to email@example.com, either in two hard copies, or as a machine readable scan. If questions arise, give the Secretariat a call, or write us. Once the data processor agreement has been approved and signed by both parties, and the technical tests have proven successful, the production system will be updated with a connection to the new institution.
It is important that the person(s) signing the data processor agreement on the institution's behalf actually carries (carry) the authority to do this, in accordance with set regulations and applicable legislation. WAYF makes an effort to ensure this, prior to document signature, currently by researching on the institution's website the person(s) proposed as signer(s), or through dialogue with the institution. It is a possibility that in the future WAYF will demand proof of signing authority from any signatory.
Local login service
When the login service is run locally, the users make use of the institution's own login page in order to log in to services via WAYF. At the institution this involves installing connection software that uses the standard SAML 2 (Security Assertion Markup Language version 2) for the integration with WAYF. Furthermore the institution's local user data needs to be converted to the attribute format used by WAYF. The advantage of the local model is that the user makes use of the institution's local well-known login page when logging in. At the same time, user name and password stay within the institution's IT domain.
Demands for user management
The institution needs to be in control of its users before it can get connected to WAYF. This means that it sets up, maintains and deletes users on the basis of a well defined practice. The purpose is to secure the data quality so the service providers can trust the user information they receive via WAYF. Demands regarding user administration is described in the agreement between WAYF and the institution.
Which services will we gain access to?
As a starting point the institution's users gain access to all the services that are connected to WAYF. However it is up to the individual service to approve users on the basis of the received user information. Some services demand that a business agreement is entered regarding use and payment. This is an issue between the service and the individual institution and leaves out WAYF.
At a later stage WAYF will grant access to a self-service page where the institution will be able to see the services with which it has entered agreements regarding the exchange of user information.
Requirements for certificates
Institutions must sign their login response messages, and make the corresponding signing certificates available to WAYF, cf. WAYF's certificate policy.