In most situations you will need to discover which identity provider a visitor is from before referring them to their home organisation for authentication.

The following recommendations come mostly from RFEDS (

The simplest discovery service to use is probably OpenAthens Wayfinder which automatically includes all the identity providers from any federations your entityID is in:

Wayfinder will remember the user's previous selection(s), and uses geo-location when supported by the browser to help them find their home organisation when names are similar.

This is the default setting for OpenAthens Keystone and can be activated for OpenAthens SP by specifying when you select the discovery method on the application > configuration tab. If you are using other SP software, check their documentation for how to specify this as the central discovery / wayf service.

About 'WAYFless' access

WAYFless is the common term for bypassing discovery by including an Identity Provider's entityID in the access URL as a parameter. It is not possible to overstate how desirable this feature is to your customers.

There is no excuse for not supporting this with OpenAthens SP or Keystone because it works out of the box. You would actually have to do more work to not support it.

For OpenAthens SP, simply passing through an 'entityID' parameter in the URL is enough. Keystone is a shared service so has an extra step - see: WAYFless access and deep linking in OpenAthens Keystone 

About deep linking

This is almost as important to your customers as WAYFless URLs as it allows them to send users to specific pages. The basic idea is that at the end of the authorisation process the user is returned to the page they were trying to access when they started the process.

This is usually possible as long as your platform supplies static pages for content, and you should make every effort. You know your own site best, but here is a simplified PHP example that assumes all pages are covered by OpenAthens SP and that both entityID and target are passed as parameters, e.g:{entityID}&target={target}.

    $target = $_GET['target'];
    $entity = $_GET['entity'];
    header("Status: 302 Temporary move");
    header("Location: $target?entityID=$entity");

OpenAthens Keystone is a shared service so has an additional step - see: WAYFless access and deep linking in OpenAthens Keystone

Redirector compatibility

Where both deep linking and WAYFLess URLs are supported, a resource becomes compatible with our Redirector. The Redirector provides our mutual customers with a consistent link format that they can use in place of a proxy mask in applications such as link resolvers, e.g:

This removes any need for them to use proxy servers to access your site which benefits everyone.