This is a list of frequently asked questions (FAQ) for the Discovery Service, one of numerous discovery services available to participants of the InCommon Federation.
| Table of Contents |
|---|
General Questions
What is a "discovery service?"
...
The InCommon Discovery Service works with all supported versions of the Shibboleth Service Provider software. To use the native SAML V2.0 Identity Provider Discovery Protocol, Shibboleth SP version 2.0 (or later) is required.
We've been told the InCommon Discovery Service will also work with simpleSAMLphp version 1.1 or later, but this has not been tested.
There may be other SP implementations that support the InCommon Discovery Service. If you find one that does, please share your experiences with other InCommon participants (incommon-participants@incommon.org).
...
- The legacy WAYF protocol, which is based on the proprietary Shibboleth 1.x AuthnRequest Protocol defined in the Shibboleth Protocol Specification
- The SAML V2.0 Identity Provider Discovery Protocol
SAML V2.0 is preferred over the legacy WAYF protocol. If your SP implementation supports SAML V1.1 only, however, then there is no choice---configure your SP to use the legacy WAYF protocol. Likewise if your SP implementation supports SAML V2.0 only, use the SAML V2.0 Identity Provider Discovery Protocol. If your SP implementation supports both SAML V1.1 and SAML V2.0, you have a choice, but clearly SAML V2.0 is preferred since it offers a much richer set of deployment options.
...
How you handle discovery in conjunction with particular federated services is completely up to you. That said, it is well known that an embedded discovery service, or any kind of selection process more closely integrated with your federated application, provides the best overall experience for users, and gives you the most flexibility to offer a choice of identity providers to your users. You should by all means consider an embedded service as an alternative to centralized services such as the InCommon Discovery Service.
What do I need to do?
- ALL InCommon Service Provider deployments that rely on the InCommon WAYF should reconfigure their software to point at the InCommon Discovery Service instead. The WAYF was retired early in 2011.
- Update your InCommon Federation metadata to include the
<idpdisc:DiscoveryResponse>extension elements that are required to use the InCommon Discovery Service with SAML V2.0 Web Browser SSO. Do this even if you don't plan on using SAML V2.0 any time soon. - Consult the Shibboleth documentation for instructions on configuring a Shibboleth SP for discovery.
For More Information
- SWITCH demos http://www.switch.ch/aai/demo/
- SAML V2.0 Identity Provider Discovery Protocol and Profile http://wiki.oasis-open.org/security/IdpDiscoSvcProtonProfile
- Consult Shibboleth Discovery Config for more information about configuring a Shibboleth SP for discovery.