WAYF

WAYF also works as single sign-on ("SSO"). This means that you can access multiple services after using your institutional login once - at least until you close your browser or the institution thinks it's been too long since you last logged in.

WAYF communicates with two types of organizations: service providers and institutions. Service providers (e.g. a research library or an online dictionary) provide a service. Institutions provide information about users. WAYF provides the technical protocol translations needed in the communication between the two types of organizations and ensures that each service does not obtain more information about users than is necessary for the legitimate purpose of the service.

WAYF is a community and service under DeiC. Until the end of 2012, WAYF was a development project jointly funded by DeiC (Forskningsnettet), the Ministry of Culture and the Ministry of Education. The operation until January 1, 2015 was also financed by funds from these parties. From January 1, 2015, WAYF switched to user payment.

For the institutions affiliated with Forskningsnettet, this had no impact. Their payment to WAYF was included in the existing budget, and the introduction of the payment model did not result in any additional costs.

Institutions that participate in WAYF, but are not affiliated with the Research Network, must pay for their participation.

• In WAYF, for each login transaction, time, SP, IdP and a pseudonymized ID for the user are logged for each, but beyond that, WAYF does not store data about the user longer than the few milliseconds it takes to process it.
• Data is encrypted with TLS during transmission. But since the transmission goes through the user's browser, it is not encrypted in the browser itself while it forwards it from WAYF to the service that needs it. They are digitally signed, so the service can be sure that they come from WAYF. And the private key is generated and stored in hardware and therefore cannot be stolen.
• WAYF has servers in multiple locations to ensure a very high degree of availability.

WAYF is certified according to the information security standard ISO 27001. This is the result of the audit that DNV conducted at WAYF on 23 September 2021.

With the certification, the federation's members now have another indication that WAYF is in control of information security and can safely be trusted to convey digital identities from user organizations to service providers.

For a number of years, it has been baseline in the public sector to comply with ISO 27001, without the requirement for certification. But because information security is extremely important for a core service in WAYF, namely the secure communication of digital identity, it has made good sense here with an actual certification according to the standard.

WAYF is the latest addition to the parts of DeiC's operations that are certified according to ISO 27001. The research network's hosting service and network operations have been certified since 2019.

The ISO certificate can be inspected here.