Identity Provider Discovery Service

From GFIPM Implementation Wiki
Revision as of 02:53, 14 January 2011 by Matt.Moyer (Talk | contribs)

Jump to: navigation, search

An Identity Provider (IDP) Discovery Service (DS) performs the task of discovering a user's IDP and providing that information to a Service Provider (SP) so that the SP knows which IDP to use in the subsequent single sign-on (SSO) process.

The DS provides a convenient means by which a user may specify which IDP he or she would like to use for SSO within the federation. The GFIPM Reference Federation currently uses a single DS, which is managed by GTRI; however, there is no inherent limitation on the number of discovery services that a federation can use.

All Service Providers must provide a method for users to discover their Identity Providers. You may elect to use the centralized DS provided by the federation, deploy your own DS, or implement/configure a custom discovery solution for your deployment. The NIEF federation also currently uses a single DS, but again there is no limitation on the number of discovery services in a federation. For convenience, your Service Providers may point to the central DS when a user tries to access a resource without a SAML assertion. But you are free to implement your own discovery service or an equivalent service to determine a user's IDP for SSO. In the event that a participant's Service Provider solution cannot interface with the DS, the SP must provide an equivalent functionality.

Both the GFIPM Reference Federation and [[NIEF][1]] use the SWITCH PHP Discovery Service implementation. The SWITCH DS is described in detail at http://www.switch.ch/aai/support/tools/wayf.html. Note: The Discovery Service was previously named the "Where-Are-You-From" (WAYF) service. Most SWITCH documentation uses the two names interchangeably.

Retrieved from "https://impl.gfipm.net/mwiki/index.php?title=Identity_Provider_Discovery_Service&oldid=43"