Previous Topic: Configure Single Logout (optional)Next Topic: Validate Signed Requests and Responses


Configure Identity Provider Discovery at the IdP

The Identity Provider Discovery (IPD) profile provides a common discovery service that enables a Service Provider to select a unique IdP for authentication. A prior business agreement between partners is established so that all sites in the network interact with the Identity Provider Discovery service.

This profile is useful in federated networks that have more than one partner providing assertions. A Service Provider can determine which Identity Provider it sends authentication requests for a particular user.

The IdP Discovery profile is implemented using a cookie domain that is common to the two federated partners. A cookie in the agreed upon domain contains the list of IdPs that the user has visited.

For the IDP Discovery profile, the SP has to determine the IdP to which it sends authentication requests. The user that the SP wants to authenticate must have previously visited the Identity Provider and authenticated.

At the IdP, you only enable the Identity Provider Discovery feature. No other configuration is required. Enabling the feature results in a cookie being set in the common domain at the IDP Discovery Service. This process is transparent to the user.

Enable Identity Provider Discovery Profile (optional)

Federated networks can have more than one Identity Provider generating assertions. The Identity Provider Discovery profile enables users to select a specific Identity Provider for authentication.

To enable the Identity Provider Discovery Profile

  1. Log on to the Administrative UI.
  2. Navigate to the SAML Profiles page for the SP you want to modify.
  3. In the IPD section, select the Enable checkbox.
  4. Fill in the necessary fields and select the necessary settings.

    Note: Set the Service URL field to the Identity Provider Discovery Profile servlet, which is:

    https://host:port/affwebservices/public/saml2ipd

  5. Click Submit to save your changes.
Securing the IdP Discovery Target Against Attacks

When the CA SiteMinder® Identity Provider Discovery Service receives a request for the common domain cookie, the request includes a query parameter named IPDTarget. This query parameter lists a URL where the Discovery Service must redirect to after it processes the request.

For an IdP, the IPDTarget is the SAML 2.0 Single Sign-on service. For an SP, the target is the requesting application that wants to use the common domain cookie.

We recommend protecting the IPDTarget query parameter against security attacks. An unauthorized user can place any URL in this query parameter. The URL can cause a redirection to a malicious site.

To protect the query parameter against an attack, configure the Agent Configuration Object setting ValidFedTargetDomain. The ValidFedTargetDomain parameter lists all valid domains for your federated environment.

Note: The ValidFedTargetDomain setting is similar to the ValidTargetDomain setting that the Web Agent uses, but this setting is defined specifically for federation.

The IPD Service examines the IPDTarget query parameter. The service obtains the domain of the URL that the query parameter specifies. The IPD Service compares this domain to the list of domains specified in the ValidFedTargetDomain parameter. If the URL domain matches one of the configured domains in the ValidFedTargetDomain, the IPD Service redirects the user to the designated URL.

If there is no domain match, the IPD Service denies the user request and they receive a 403 Forbidden in the browser. Additionally, errors are reported in the FWS trace log and the affwebservices log. These messages indicate that the domain of the IPDTarget is not defined as a valid federation target domain.

If you do not configure the ValidFedTargetDomain setting, the service redirects the user to the target URL without performing any validation.