Identity provider discovery is a service that selects an identity provider (possibly through interaction with the user) to use during SSO.
While Identity Federation does not provide an identity provider discovery service, it provides support for using such a service to select an IdP, if one is not passed in the authentication request to the SP during SP-initiated SSO.
See the following specifications about IdP discovery at:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery-cs-01.pdf
When acting as a service provider, Identity Federation can be configured so that if an SSO operation is initiated without the provider ID of the partner IdP, the user is redirected to an IdP discovery service to select the identity provider with which to perform SSO.
After the user selects an identity provider, the custom page resubmits the SSO request with the chosen IdP to Identity Federation.
See the following topics for details:
Identity Federation provides a simple Identity Provider Discovery Service that can be used to determine the Federation IdP Partner to be used at runtime during a Federation SSO operation.
To configure the bundled IdP discovery service:
You can configure Identity Federation to interact with a custom IdP Discovery Service that is deployed remotely.
To configure Identity Federation with a custom IdP Discovery Service:
At runtime, Identity Federation redirects to the IdP Discovery Service page with the following parameters:
return
: This is the URL to which the page should send the new request containing the chosen IdP provider ID to Identity Federation.
returnIDParam
: This is the name of the parameter to use to specify the chosen IdP provider ID in the request sent to Identity Federation.
The discovery service receives the values of these parameters, displays a list of IdPs, and then sends a new request to Identity Federation specifying the chosen IdP Provider ID.
Note:
CMake sure that the URL query parameter values are correctly URL-encoded.
Example of an IdP Discovery Service Page
The following example represents an IdP discovery service page that enable a user to select an identity provider (from the list of provider IDs: http://idp1.com, http://idp2.com, http://idp3.com), and submit the chosen provider ID to Identity Federation to continue the SSO flow.
<%@ page buffer="5kb" autoFlush="true" session="false"%> <%@ page language="java" import="java.util.*, java.net.*"%> <% // Set the Expires and Cache Control Headers response.setHeader("Cache-Control", "no-cache"); response.setHeader("Pragma", "no-cache"); response.setHeader("Expires", "Thu, 29 Oct 1969 17:04:19 GMT"); // Set request and response type request.setCharacterEncoding("UTF-8"); response.setContentType("text/html; charset=UTF-8"); String submitURL = request.getParameter("return"); String returnIDParam = request.getParameter("returnIDParam"); List idps = new ArrayList(); idps.add("http://idp1.com"); idps.add("http://idp2.com"); idps.add("http://idp3.com"); %> <html> <title> Select an Identity Provider </title> <body bgcolor="#FFFFFF"><form method="POST" action="<%=submitURL%>" id="PageForm" name="PageForm" autocomplete="off"> <center> <table cellspacing="2" cellpadding="5" border="0" width="500"> <tr><td colspan="2" align="center"> Select an Identity Provider </td></tr> </tr> <tr> <td align="right">Provider ID</td> <td> <select size="1" name="<%=returnIDParam%>"> <% Iterator idpIT = idps.iterator(); while(idpIT.hasNext()) { String idp = (String)idpIT.next(); %> <option value="<%=(idp)%>"><%=idp%></option> <% } %> </select> </td> </tr> <tr> <td colspan="2" align="center"> <input type="submit" value="Continue"/> </td> </tr> </table> </center> </form> </body> </html>