Every time a user visits a service provider page for the first time, a request is made by the user's browser to the WAYF Cloud URL, asynchronously and in the background, in order to notify the WAYF Cloud about the user visiting this service provider.
As the WAYF Cloud collects requests from the same web browser visiting different service providers, it builds relationships for this device similar to the ones illustrated in the following picture.
This graph consists of a node that represents the device as well as nodes for the different service providers this device has visited.
What's stored in the WAYF Cloud is a HASH of device IDs which are randomly generated at each service provider as well as a relationship between them, via another random id which is generated by the WAYF Cloud.
Hashing is performed in order to prevent that the data stored in the WAYF Cloud can be used to trace real users at the service providers platforms using their ID.
When a user signs in for the first time to one of the service providers using the identity provider of their organization, the service provider platform shares the identity provider ID with other service providers by storing it in the WAYF Cloud. This data is associated with the device node as illustrated below
A service provider can use the WAYF Cloud API to determine the organizational membership of a user, using the unique random identifier that the user's browser is locally known with at this service provider.
This process takes place in the background, requires no input from the user, and starts even before the user attempts to sign in at the service provider.
This mechanism can drive the design of a User Interface that simplifies the sign in process, even for users that visit a service provider for the first time!
Updated almost 5 years ago