| | 9th May |  | Publish deprecation date (for idp_hint parameter and sha1-hash hints) | Q2-2022 |  | Deprecate idp_hint parameter and support for sha1-hash hints | Q3-2022 | 
Merchants not using the IdP Hinting feature will not be impacted, but it is strongly recommended that all merchants carry out regression testing prior to the production release. 
 The forthcoming release comprises the following enhancements: | As-built | Upgraded feature |  | IdP Hinting requires a SHA1 hash-based hint (as supplied by InAcademia in JSON format) to be included in the OIDC request using the ‘idp_hint’ parameter or claim. 
 e.g. idp_hint=c50752ce1d12c2b37da13a1a396b8e3895d35dd9 | IdP Hinting feature will require an URL-encoded entityID hash (to be supplied by InAcademia in JSON format) to be included in the OIDC request using the  new ‘aarc_idp_hint’ parameter. e.g. aarc_idp_hint=https%3A%2F%2Fidp.nordu.net%2Fidp%2Fshibboleth Support for SHA1 hash-based hinting to be deprecated in Q3-2022. |  | InAcademia specifies and supplies hashed hint values in the form of per-country JSON files. These JSON files are intended to be utilised by the merchant to consume and create a UI drop-down (using the ‘display name’ of the institution inside the JSON file) from which users* can select their home institution. This design supports merchant workflow to initiate a request to InAcademia using the hint associated with that home institution, where the user is directed to the related institutional identity provider using the InAcademia service based on the related sha1 hash. 
 *(where the user is registered at an institution in the country where the merchant is licensed to use InAcademia) | The same service will be offered, but the per-country JSON files shall comprise entityID-format hints. e.g. “https://idp.nordu.net/idp/shibboleth” “en”: “NORDUnet” “no”: “NORDUnet” Provision of SHA1 hash-based JSON files to be deprecated in Q3-2022. |  | InAcademia falls back to the Discovery Service if the hint value cannot be reconciled to an entityID. This allows the user to select the most appropriate IdP from the DS and move on. This has the following downsides: Observation from live operations demonstrates that users are 30% more likely to abandon their session if they reach discovery unexpectedly.The Discovery Service currently relates to all global IdPs, and is not restricted to in-scope countries.If the user hits ‘back’ the experience can be unpredictable.
 | If the received hint does not resolve to valid metadata InAcademia will return access_denied+error description=entityID error, returning the user to the merchant, thereby allowing the merchant to decide how to proceed in this scenario. 
 Please refer to the link below for the updated flow diagram: https://wiki.geant.org/display/InAcademia/InAcademia+Functional+flow+with+errors |  | The currently optional IdP Hint Assertion feature allows merchants to include the ‘idp_hint’ claim that allows merchants to identify users who are directed to an IdP contrary to that selected in the merchant UI. | The IdP Hint Assertion feature will be enabled as default for all merchants, and will be initiated by the parameter (rather than requiring an additional claim). | 
 What does this mean for merchants? Using an entityID-based IdP Hint means that merchants would need to: include a correctly URL encoded entityID parameter in the GET request using the ‘aarc_idp_hint’ parameter (instead of the ‘idp_hint’ parameter), andremove the IdP hint hash from any claims, andhandle users returning to the redirect_uri as a result of an invalid/stale hint being used in the request.
 
 Requests should currently be formulated towards InAcademia in the following style: https://op.srv.inacademia.org/InAcademia/authorization?response_type=id_token&response_mode=form_post&redirect_uri=https%3A%2F% 2Fvalidate.inacademia.org2Freturn.php&client_id=InAcademia_Test_Your_Affiliation&nonce=ee826f25a6a17bcab4e7dc21a0bffdd6
 &state=17edc5989051dd5ce2858ac09f30b3cd&scope=openid+transient+member&idp_hint=c50752ce1d12c2b37da13a1a396b8e3895d35dd9
 
 And later (when the entityID is used) it would look like this: https://op.srv.inacademia.org/InAcademia/authorization?response_type=id_token&response_mode=form_post&redirect_uri=https%3A%2F%2Fvalidate.inacademia.org2Freturn.php&client_id=InAcademia_Test_Your_Affiliation&nonce=ee826f25a6a17bcab4e7dc21a0bffdd6
 &state=5989051dd5ce2858ac09f30b3cd&scope=openid+transient+member&aarc_idp_hint=https%3A%2F%2Fidp.nordu.net%2Fidp%2Fshibboleth
 The test IdPs in the aarc_idp_hint format are as follows: The InAcademia product team would be happy to participate in one-to-one meetings to discuss these changes further with your product teams. In order to schedule a discussion, please contact info@inacademia.org. 
 Best wishes from The InAcademia Team Networks • Services • People  Learn more at www.geant.org  GÉANT Vereniging (Association) is registered with the Chamber of Commerce in Amsterdam with registration number 40535155 and operates in the UK as a branch of GÉANT Vereniging. Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands. UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK. |