SP can affect a list of the identity providers on WAYFProxy IdP because WAYF is based on CESNET WAYF (https://www.eduid.cz/cs/tech/wayf), a filter configuration is going on https://ds.eduid.cz/filter.php. Then provide the value of filter as an attribute filter. In the case of longer filters, we recommend to save the value into a file and provide the link as an attribute efilter. More information about the filter is possible to find here on https://www.eduid.cz/cs/tech/wayf/sp (in part about Filter Generator).
By the attribute AuthnContextClassRef in the protocol SAML 2
SP will set the attribute AuthnContextClassRef:
In the case of fulfilling both filters in the same time, the efilter will be used. The example of setting Shibboleth SP in shibboleth2.xml:
<!-- eduID.cz, eduGAIN, Social --> <SessionInitiator entityID="https://login.cesnet.cz/idp/" type="SAML2" template="bindingTemplate.html" Location="/allfed" id="allfed" relayState="cookie" authnContextClassRef="urn:cesnet:proxyidp:efilter:https://perun.cesnet.cz/wayf/wayf-filter-allfed.txt" />
The example of setting Shibboleth SP in Apache web server:
<Location abc> ... ShibRequestSetting authnContextClassRef urn:cesnet:proxyidp:efilter:https://perun.cesnet.cz/wayf/wayf-filter-allfed.txt ... </Location>
It´s possible to define a filter but the change must be done by an administrator. In this case, send a request for adding a filter on login@cesnet.cz with the identifier of service and the value of filter/link for a file with a filter.
Proxy can´t control it if gets the correct value of a filter.
In the case when no mentioned option will be chosen, defaultFilter will be used (included federations eduID.cz, eduGAIN,Social a StandaloneIdP).
Direct access to a particular IdP is possible to set by the atribute AuthnContextClassRef in the protocole SAML (the value urn:cesnet:proxyidp:idpentityid:[EntityId of the IdP]).
Organizations which are not involved in eduID.cz and need to open up services for their users, requiring verification of user´s relation to an organization, can use a function of manual connecting of user´s relation to an organization. The organization establishes responsible persons who can control if a person requiring confirmation of relating, has a formal relate with an organization. The responsible person will get access into Perun system where sees the user´s requests which can be approved or refused. After that, users can require their social identity. Thanks to that, the confidence in anonymous identity is higher.
The manual for using the service is on (doplním).