Episode 04 -InCommon Federation -Discovery Service
In my previous blogs on InCommon federation, I talked about InCommon, InCommon Federation, Metadata services (Metadata Aggregates and PEMD service).
From this blog post, you will be abled to learn about the Discovery Service in the InCommon Federation.
Why we need a Discovery Service?
A discovery service is implemented to solve the problem of discovering Identity Providers. In a federation, SP should know the user’s IdP where the user can be authenticated. So a Discovery Service provides a browser-based interface where a user can select his or her home organization. Discovery Service response with the entityID of the user’s IdP. A service provider uses this information to initiate SAML Web Browser SSO.
InCommon Discovery service is implemented adhering to the OASIS Identity Provider Discovery Service Protocol and Profile.
Step1: User tries to access the protected resource SP B.
Step2: As SP B cannot authenticate the user, it needs the entityID of the user’s IdP. Then SP B redirects user browser to the InCommon Discovery service.
Step3: User can select his/her home organization from the list in Discovery service.
Step4: Discovery service uses attribute value for the Location in the <idpdisc:DiscoveryResponse> in SP B’s metadata to send the entityID of the user’s home organization to the correct endpoint of SP B.
When registering SP metadata it is a must to include the correct endpoint of the service provider as the attribute value of Location in the <idpdisc: DiscoveryResponse>to send the discovery service response. So the discovery service compares the return URL in the request with the above attribute value. If both are same, the response will be sent to the correct endpoint.
References
