Scoping

Please NOTE that WAYF from July 2018 supports more and simpler ways to do scoping than the one described below.  See the Danish version of this page for details.

WAYF supports SPs specifying in login requests to what IdP/institution the request must be sent, causing WAYF's institution list (“discovery list”) to be by-passed in the login flow and the user to be forwarded to his institution's login page immediately. Only few third-party implementations of SAML2 SPs support sending such “scoped” login requests, among which are SimpleSAMLphp and CORTOLIB. The specification of the targeted login IdP takes the form of the element samlp:Scoping inserted as the last child of the samlp:AuthnRequest:

	.
	.
    <samlp:Scoping>
        <samlp:IDPList>
            <samlp:IDPEntry ProviderID="https://entityID-of-preferred-IdP" />
        </samlp:IDPList>
    </samlp:Scoping>
</samlp:AuthnRequest>

Consequently, when WAYF receives from a service a login request ending like the one shown here, the user will not see the institution list but immediately be taken to the login page of the institution registered under the connection ID (entityID) https://entityID-of-preferred-IdP in WAYF's registry. The connection IDs for WAYF's institutions -- i.e., the permissible values for ProviderID in the above example -- are found here, in the JSON format.

If you implement your SAML2 SP yourself, it is, of course, easy for you to craft login requests with scoping if you need them. If you are dependent on third-party implementations, on the other hand, you may well encounter difficulty.

Please NOTE that WAYF from July 2018 will support more and simpler ways to do scoping than the one described above.  See the Danish version of this page for details.