The SAML v2 IDP Discovery Service is an implementation of the Identity Provider Discovery Profile as described in the Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 specification. In deployments having more than one identity provider, service providers need to determine which identity provider(s) a principal uses with the Web Browser SSO profile. To allow for this, the SAML v2 IDP Discovery Service relies on a cookie written in a domain that is common to all identity providers and service providers in a circle of trust. This predetermined domain is known as the common domain, and the cookie containing the list of identity providers to chose from is known as the common domain cookie.
When a user requests access from a service provider and an entity identifier for an identity provider is not received in the request, the service provider redirects the request to the common domain's SAML v2 IDP Discovery Service Reader URL to retrieve the identity provider's entity identifier. If more then one identity provider entity identifier is returned, the last entity identifier in the list is the one to which the request is redirected. Once received, the identity provider redirects to the Discovery Service Writer URL to set the common domain cookie using the value defined in the installation configuration properties file. See Creating an Installation Configuration Properties File for more information.
The Reader and Writer URLs for the SAML v2 IDP Discovery Service are defined when configuring the circle of trust. If the circle already exists and does not contain values for the Reader and Writer URLs, it must be deleted and recreated.
Instructions on how to install the SAML v2 IDP Discovery Service can be found in Installing the SAML v2 IDP Discovery Service. You should also be familiar with The saml2meta Command-line Reference as well as Table 3–2.
Delete the current circle of trust configuration using saml2meta, if applicable.
Create a new circle of trust configuration using saml2meta and the cotcreate subcommand.
saml2meta [-i staging-directory] cotcreate -u admin-user -w password -t COT-name -p idp-discovery-URL-path
Make sure to specify the full path to where the SAML v2 Plug-in for Federation Services is deployed using the -p option.
Add member providers to the new circle of trust using saml2meta and the cotadd subcommand.
saml2meta [-i staging-directory] cotadd -u admin-user -w password -t COT-name -e entity-ID
cotadd can only add a single provider at a time using the -e option. To add a group of providers, you can use the -l option with cotcreate in the previous step.
Verify that all member providers have been added to the circle using saml2meta and the cotlist subcommand.
saml2meta [-i staging-directory] cotlist -u admin-user -w password
Service providers will be redirected to the SAML v2 IDP Discovery Service Reader URL during single sign-on.