After an identity provider authenticates a principal, the identity provider sets a URL-encoded cookie that is defined in a predetermined domain common to all identity providers and service providers within the authentication domain. The common domain cookie is named _liberty_idp. After successful authentication, a principal’s identity provider appends their encoded identifier to a list in the cookie. If their identifier is already present in the list, the identity provider may remove the initial appearance and append it again. The intent is that the service provider reads the last identifier on the cookie’s list to find the principal’s most recently established identity provider.
The identifiers in the common domain cookie are a list of SuccinctID elements encoded in the Base64 format. One element maps to each identity provider in the authentication domain. Service providers then use this SuccinctID element to find the user's preferred identity provider.
When the request contains no common domain cookie, the service provider presents a list of trusted identity providers from which the principal may choose.