Jump to: 

Configure Service Provider in SAML V2.0

To configure your SAML V2 service provider(SP) to use the InCommon Federation Discovery Service, first make sure your SP software supports the SAML V2.0 Identity Provider Discovery Protocol, then: 


Configure your SP's metadata to include one or more <idpdisc:DiscoveryResponse> elements. It is a required element to successfully integrate with the InCommon Discovery Service.

Related: Configure SP metadata using Federation Manager

Two.Make sure your SP's metadata has one or more SAML V2.0 <md:AsssertionConsumerService> endpoints in your metadata. This is also required to successfully integrate with the InCommon Discovery Service.

Fill out the MDUI section of the metadata completely and with care. The Discovery Service will at least display the DisplayName in your SP metadata to the user. The name should be clear and distinct enough so that the user can intuitively understand which service they are signing into. 

Good example: University of America Zoom Video Conference Service

Bad example: Zoom


Configure your SP to point to the InCommon Federation Discovery Service. The InCommon Federation Discovery Service is located at: 


RelatedConfiguring Shibboleth SP for discovery

Configure SP metadata using Federation Manager

If your SP is registered in InCommon, use Federation Manager to edit your metadata to include at least one Discovery Response Endpoint:

  1. Sign in to Federation Manager
  2. Navigate to your SP; find the Discovery Response Endpoint section; click edit/add 
  3. Enter the Discovery Response Endpoint URL in the Location input box; click save.
  4. If you have not done so, navigate to the Attribute Consumer Service section to configure at least one valid SAML V2.0 endpoint.

About the the Discovery Response Endpoint

The Discovery Response Endpoint, or the "Location" attribute in the <idpdisc:DiscoveryResponse> metadata element, is a return address at the SP. Once a user has selected their preferred identity provider, the Discovery Service returns to the SP's Discovery Response Endpoint to convey the user's preferred IDP.

To ensure the integrity of the sign-in interaction, the InCommon Federation Discovery Service will only redirect the user's browser agent to a SP's trusted Discovery Response endpoint published in the SP's InCommon metadata entry.

If your SP only supports SAML V1.1

The InCommon Federation no longer recommends using SAML v1.1. Please update your service provider to Use SAML v2.0.

Additional Information

The namespace and binding attributes attached to the <idpdisc:DiscoveryResponse> element are defined in the SAML V2.0 Identity Provider Discovery Protocol and Profile specification. 

The InCommon Discovery Service is a deployment of the SWITCHwayf software implementation, a software project of the SWITCH federation.

Visit the Discovery Service FAQ for more information about the InCommon Federation Discovery Service.

  • No labels