The Identity Provider Discovery (IPD) profile provides a common discovery service that enables a Service Provider to select a unique IdP for authentication. A prior business agreement between partners is established so that all sites in the network interact with the Identity Provider Discovery service.
This profile is useful in federated networks that have more than one partner providing assertions. A Service Provider can determine which Identity Provider it sends authentication requests for a particular user.
The IdP Discovery profile is implemented using a cookie domain that is common to the two federated partners. A cookie in the agreed upon domain contains the list of IdPs that the user has visited.
You configure the IDP Discovery profile in the IDP Discovery section in the SSO and SLO dialog.
Note: Click Help for a description of fields, controls, and their respective requirements.
Follow these steps:
http://host:port/affwebservices/public/saml2ipd
Represents the common domain that you specify in the Common Domain field.
Specifies the Apache HTTP or HTTPS port you specified when installing the product.
The URL can also begin with https.
IdP Discovery is enabled at the IdP.
For the IDP Discovery profile, the Service Provider (SP) has to determine the Identity Provider (IdP) to which it sends authentication requests. The user that the SP wants to authenticate must have previously visited the Identity Provider and authenticated.
The SP has to redirect the user to its own IdP Discovery Service to retrieve the common domain cookie. The cookie contains the list of Identity Providers that the user has already visited. From this list, the cookie chooses the correct IdP and then sends an AuthnRequest to that IdP.
The IDP Discovery process is as follows:
This site selection page is aware of the IDP Discovery Service URL.
To configure IdP Discovery at the SP
CA SiteMinder® comes with a sample site selection page, named IdpDiscovery.jsp that the SP can use to implement IdP Discovery. You can find the page in the following directory:
web_agent_home/affwebservices/public
The first link redirects the browser from one domain to the IdPDiscovery service in the common domain and retrieves the common domain cookie, named _saml_idp. When the IdP Discovery Service at the SP receives the request, the service obtains the common domain cookie and adds it as a query parameter. The IDP Discovery Service then redirects the user back to the IdPDiscovery.jsp site selection page in the regular domain. By default, the IdPDiscovery.jsp page displays only a list of IDs for the IdPs that it extracts from the common cookie. This list is static; there are no HTML links associated with the list that initiate communication with the associated IdP.
For example:
<a href="http://myspsystem.commondomain.com/affwebservices/public /saml2ipd/?IPDTarget=/http://myspsystem.spdomain.com/affwebservices /public/IdpDiscovery.jsp&SAMLRequest=getIPDCookie"> Retrieve idp discovery cookie from IPD Service</a>
When the user is redirected back to the regular domain with the target site selection page, it now has the common cookie.
With IdP Discovery working, you can see the site selection page with a list of IdPs from which to select.
Copyright © 2014 CA.
All rights reserved.
|
|