Federation Manager GuideFederation PartnershipsIDP Discovery Profile › IDP Discovery Configuration at the Service Provider

Previous Topic: IDP Discovery Configuration at the Identity Provider

Next Topic: Assertion Security with Digital Signatures and Encryption

IDP Discovery Configuration at the Service Provider

For IDP Discovery profile, the Service Provider (SP) has to determine the Identity Provider (IdP) to which it sends authentication requests. The user that the SP wants to authenticate must have previously visited the Identity Provider and authenticated.

The SP has to redirect the user to its own IdP Discovery Service to retrieve the common domain cookie. The cookie contains the list of Identity Providers that the user has already visited. From this list, it choose the correct IdP and then sends an AuthnRequest to that IdP.

The IDP Discovery process is as follows

  1. The browser requests the site selection page at the SP.

    This site selection page is aware of the IDP Discovery Service URL.

  2. The site selection page redirects the user to IDP Discovery Service URL with a query parameter to indicate that it wants to get the Common Domain Cookie.
  3. The IDP Discovery Service gets the Common Domain Cookie, reads the cookie in its domain and redirects the user back to the site selection page at the SP with the Common Domain Cookie as a query parameter.
  4. The SP populates the site selection page with IdP URLs at which the user has previously authenticated.
  5. The user selects an IdP to perform the user authentication.

To configure IdP Discovery at the SP

  1. Create a site selection page that requests the Common Domain Cookie from the IdP Discovery Service at the SP.

    Federation Manager comes with a sample site selection page, named IdPDiscovery.jsp that the SP can use to to implement IdP Discovery. You can find the page in the following directory:

    federation_mgr_home/secure-proxy/Tomcat/
webapps/affwebservices/public

    The first link on this page redirects the browser from one domain to the IdPDiscovery service in the common domain and retrieves the common domain cookie, named _saml_idp. When the IdP Discovery Service at the SP receives the request, it gets the common domain cookie, adds it as a query parameter to the link then redirects the user back to the IdPDiscovery.jsp site selection page in the regular domain. By default, the IdPDiscovery.jsp page displays only a list of IDs for the IdPs that it extracts from the common cookie. This is a static list; there are no HTML links associated with the list that initiate communication with the associated IdP.

  2. Edit the following link on the sample page for your SP site. The first part of the link should specify the common domain where the saml2idp cookie resides. The second part of the link specifies the regular domain where the IdPDiscovery.jsp resides.

    For example:

    <a href="http://myspsystem.commondomain.com/affwebservices/public
/saml2ipd/?IPDTarget=/http://myspsystem.spdomain.com/affwebservices
/public/IdpDiscovery.jsp&SAMLRequest=getIPDCookie">
Retrieve idp discovery cookie from IPD Service</a>

    When the user is redirected back to the regular domain with the target site selection page, it now has the common cookie.

  3. (Optional) Edit the IdPDiscovery.jsp site selection page so it displays an HTML link for each IdP. Each link triggers an AuthNRequest to the IdP to initiate single sign-on. By default, the IdPDiscovery.jsp page only displays a list of IDs for the IdPs that it extracts from the common cookie.
  4. Use the edited site selection page to test IdP Discovery.

With IdP Discovery working, you should see the site selection page with a list of IdPs from which to select.

Copyright © 2010 CA. All rights reserved. Email CA about this topic