Enabling OpenAthens Wayfinder
Wayfinder uses the SAML DS protocol and as long as your SP software does too it's just a case of configuring it to use Wayfinder as the discovery service. Some common SPs are covered below:
OpenAthens Keystone
- Sign in to the publisher dashboard (https://sp.openathens.net)
- Select the application in question and go to its discovery tab
- Scroll to the discovery method section and select the radio button for Wayfinder
- Save changes
Keystone will start to use the hosted version of Wayfinder immediately. Keystone also has the option for you to embed Wayfinder into your site. See: Embedding OpenAthens Wayfinder
The OpenAthens federation will be updated automatically but if you are in any other federations they will have to update your metadata to include valid discovery return URLs before discovery will work:
<idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="http://connect.openathens.net/saml/2/auth" index="1"/>
See also:
OpenAthens SP
- Sign in to the publisher dashboard (https://sp.openathens.net)
- Select the application in question and go to its configuration tab
- Scroll to the discovery method section and select the radio button for the central discovery service
- If it doesn't already say so in the box, enter
https://wayfinder.openathens.net
- Save changes
As with any configuration change, OpenAthens SP will need a webserver restart to pick up and start using the new settings.
The OpenAthens federation will be updated automatically but if you are in any other federations they will have to update your metadata to include valid discovery return URLs before discovery will work:
<idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://yourdomain.com/oa/disco-ret" index="1"/>"
See also: Discovery
Shibboleth
You will need to do three things:
Add a discovery response binding to your metadata in the <Extensions> section- e.g:
<Extensions>
...
<idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://shibsp.yourdomain.com/Shibboleth.sso/DS" index="1"/>
...
</Extensions>
... then add the discovery service to your shibboleth.xml
configuration file in the SSO section in place of any singular IdP definition:
<SSO
discoveryProtocol="SAMLDS" discoveryURL="https://wayfinder.openathens.net">
SAML2 SAML1
</SSO>
For the OpenAthens federation you will need to add the discovery return URL to your SAML endpoints via the publisher dashboard:
- Once you are logged in at sp.openathens.net, select your application

- Go to the SAML endpoints tab and click the add endpoint button

- Select discovery return URL, enter the value and click done


- Click Save changes
- It will take up to 15 minutes for the change to take effect
If you are in other federations, first check that your metadata now includes an <idpdisc:DiscoveryResponse>
section and then get the federations you have joined to update their metadata. How this is done can vary by federation, but you will usually have to tell them.
SimpleSAML.php
Set the options in authentication.php
and then restart the service
'discoURL'
=> 'https://wayfinder.openathens.net'
'idp' => null
For the OpenAthens federation you will need to add the discovery return URL to your SAML endpoints via the publisher dashboard:
- Once you are logged in at sp.openathens.net, select your application

- Go to the SAML endpoints tab and click the add endpoint button

- Select discovery return URL, enter the value and click done


- Click Save changes
- It will take up to 15 minutes for the change to take effect
If you are in other federations, first check that your metadata now includes an <idpdisc:DiscoveryResponse>
section and then get the federations you have joined to update their metadata. How this is done can vary by federation, but you will usually have to tell them.
Other SP software
Add according to their instructions and then update the federation metadata as with Shib or SimpleSAML above.
Troubleshooting
No entities appear in Wayfinder
You may not be live in any federations yet. To check that, you would download that federation's metadata and check that your entity appears. If it's there check that it includes a <idpdisc:DiscoveryResponse>
section that specifies Wayfinder. The REFEDs metadata explorer tool is also an option but may be a day behind (https://met.refeds.org/)
Unexpected entities appear in Wayfinder
Your entity appears in one of the federations that Wayfinder is aware of, or you have debug mode turned on.
- Federations -
- The federation toggles on your connection in the dashboard do not affect your appearance in other federations. They only affect which metadata is available to your application, not Wayfinder
- EduGAIN means that as well as only needing to join one Academic federation to appear in many, there can be a delay between updates to the metadata in the federation you registered in and the other federations that include it picking up the change. Timezones and weekends play a part in how long it could take
- Debug mode - this will, when enabled on your browser, tell Wayfinder to include entities that have a hide from wayf entity category on them.