Skip to content
Thijs Kinkhorst edited this page Mar 31, 2021 · 3 revisions

Running your own WAYF

As OpenConext is a SAML2 Proxy, by default IdPs connected to the platform are not exposed to Service Providers (SPs). Instead, SPs connect to the (single) Proxy IdP, which will automatically serve a WAYF if appropriate. The WAYF will contain only these IdPs that have been given access to the SP.

However, several scenarios exist where a Service Provider would like more control over the WAYF:

  • Custom WAYF: The SP want to present its own specifically tailored or branded WAYF
  • WAYF-less URLs: The SP want to redirect user directly towards a specific IdP

Transparent Proxy allows the SP to have 'direct' access to an IdP, without the need for the IdP to link directly to an SP.

Transparent Proxying

The Transparent proxy feature of OpenConext exposes all IdPs at a unique endpoint on the OpenConext SAML endpoint. An EntitiesDescriptor is available for all IdPs. In addition it is possible to query the OpenConext EngineBlock for a list of SP-specific IdPs (i.e., the IdPs that have access to the SP as configured via ServiceRegistry).