Identity Provider Discovery Service

Within a GFIPM federation, an Identity Provider Discovery Service (DS) performs the task of discovering a user's Identity Provider (IDP) and providing that information to a Service Provider (SP) so that the SP knows which IDP to use in the subsequent single sign-on (SSO) process.

The DS provides a convenient means by which a user may specify which IDP he or she would like to use for SSO within the federation. The GFIPM Reference Federation currently uses a single DS, which is managed by GTRI; however, there is no inherent limitation on the number of discovery services that a federation can use.

All Service Providers must provide a method for users to discover their Identity Providers. You may elect to use the centralized DS provided by the federation, deploy your own DS, or implement/configure a custom discovery solution for your deployment. NIEF also currently uses a single DS, but again there is no limitation on the number of discovery services in a federation. For convenience, your Service Providers may point to the central DS when a user tries to access a resource without a SAML assertion. But you are free to implement your own discovery service or an equivalent service to determine a user's IDP for SSO. In the event that a participant's Service Provider solution cannot interface with the DS, the SP must provide an equivalent functionality.

Both the GFIPM Reference Federation and NIEF use the SWITCH Discovery Service implementation. Note that the SWITCH Discovery Service was previously named the "Where-Are-You-From" (WAYF) service. Most SWITCH documentation uses the two names interchangeably.