Difference between revisions of "Identity Provider Discovery Service"
Matt.Moyer (Talk | contribs) |
Matt.Moyer (Talk | contribs) |
||
| Line 5: | Line 5: | ||
All Service Providers must provide a method for users to discover their Identity Providers. You may elect to use the centralized DS provided by the federation, deploy your own DS, or implement/configure a custom discovery solution for your deployment. The NIEF federation also currently uses a single DS, but again there is no limitation on the number of discovery services in a federation. For convenience, your Service Providers may point to the central DS when a user tries to access a resource without a SAML assertion. But you are free to implement your own discovery service or an equivalent service to determine a user's IDP for SSO. In the event that a participant's Service Provider solution cannot interface with the DS, the SP must provide an equivalent functionality. | All Service Providers must provide a method for users to discover their Identity Providers. You may elect to use the centralized DS provided by the federation, deploy your own DS, or implement/configure a custom discovery solution for your deployment. The NIEF federation also currently uses a single DS, but again there is no limitation on the number of discovery services in a federation. For convenience, your Service Providers may point to the central DS when a user tries to access a resource without a SAML assertion. But you are free to implement your own discovery service or an equivalent service to determine a user's IDP for SSO. In the event that a participant's Service Provider solution cannot interface with the DS, the SP must provide an equivalent functionality. | ||
| − | Both the GFIPM Reference Federation and | + | Both the GFIPM Reference Federation and [https://nief.gfipm.net/ NIEF] use the SWITCH PHP Discovery Service implementation. The SWITCH DS is described in detail at http://www.switch.ch/aai/support/tools/wayf.html. Note: The Discovery Service was previously named the "Where-Are-You-From" (WAYF) service. Most SWITCH documentation uses the two names interchangeably. |
Revision as of 02:58, 14 January 2011
An Identity Provider (IDP) Discovery Service (DS) performs the task of discovering a user's IDP and providing that information to a Service Provider (SP) so that the SP knows which IDP to use in the subsequent single sign-on (SSO) process.
The DS provides a convenient means by which a user may specify which IDP he or she would like to use for SSO within the federation. The GFIPM Reference Federation currently uses a single DS, which is managed by GTRI; however, there is no inherent limitation on the number of discovery services that a federation can use.
All Service Providers must provide a method for users to discover their Identity Providers. You may elect to use the centralized DS provided by the federation, deploy your own DS, or implement/configure a custom discovery solution for your deployment. The NIEF federation also currently uses a single DS, but again there is no limitation on the number of discovery services in a federation. For convenience, your Service Providers may point to the central DS when a user tries to access a resource without a SAML assertion. But you are free to implement your own discovery service or an equivalent service to determine a user's IDP for SSO. In the event that a participant's Service Provider solution cannot interface with the DS, the SP must provide an equivalent functionality.
Both the GFIPM Reference Federation and NIEF use the SWITCH PHP Discovery Service implementation. The SWITCH DS is described in detail at http://www.switch.ch/aai/support/tools/wayf.html. Note: The Discovery Service was previously named the "Where-Are-You-From" (WAYF) service. Most SWITCH documentation uses the two names interchangeably.
