Identity Provider Discovery Service

An Identity Provider (IDP) Discovery Service (DS) performs the task of discovering a user's IDP and providing that information to a Service Provider (SP) so that the SP knows which IDP to use in the subsequent single sign-on (SSO) process.

The DS provides a convenient means by which a user may specify which IDP he or she would like to use for SSO within the federation. The GFIPM Reference Federation currently uses a single DS, which is managed by GTRI; however, there is no inherent limitation on the number of discovery services that a federation can use.

All Service Providers must provide a method for users to discover their Identity Providers. You may elect to use the centralized DS provided by the federation, deploy your own DS, or implement/configure a custom discovery solution for your deployment. The NIEF federation also currently uses a single DS, but again there is no limitation on the number of discovery services in a federation. For convenience, your Service Providers may point to the central DS when a user tries to access a resource without a SAML assertion. But you are free to implement your own discovery service or an equivalent service to determine a user's IDP for SSO. In the event that a participant's Service Provider solution cannot interface with the DS, the SP must provide an equivalent functionality.

The GFIPM Reference Federation and the NIEF federation use the Switch PHP Discovery Service implementation. The Switch Discovery Service is described in detail at the following URL:

http://www.switch.ch/aai/support/tools/wayf.html

Note: The Discovery Service was previously named the "Where Are You From" (WAYF) service. Most SWITCH documentation uses the two names interchangeably.