Shibboleth Developers

[Nate Klingenstein <>]

Svetlana,

It looks like we have to implement our own WAYF service. Is it correct?

You might want to look at the multi-federation support added to the prototype WAYF enhanced by SDSS.  It might supply what you want, or at least some code to start from:

https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/DiscoveryService

There's a lot of different ways to build the interface for a WAYF service, particularly one that handles multiple federations.  It's more of an art than a science to match the approach to your deployment topology, based on how many federations and institutions you'll be interacting with.  It'd be worth thinking for awhile about what the cleanest interface you can present your users is.

I am planning to download federations metadata on a regular basis.

Does once per day sound ok?

I would suggest doing so more frequently because the metadata may be used for purposes such as revocation of providers in the future.  It's not a heavy operation, so I'd suggest once an hour would be a good starting point.

Do federations use common schema when publishing metadata? Where can I find xsd?

All Shibboleth post-1.2 uses standard SAML 2.0 metadata.  The schema's available from:

http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd

I am  planning to use cookie to keep a user state (federation, IdP location).

Are there any restrictions? good practices? what is suggested expiration time?

Current WAYF's generally allow the user to select whether to remember for a session, a week, or indefinitely.  Something similar might work for your deployment.

Thanks,

Nate.