The InCommon Discovery Service is now operational!
Here is a projected timeline
[Wed, Nov 17, 2010] Pre-production Discovery Service released
[Wed, Dec 15, 2010] Production Discovery Service released
[Wed, Jan 12, 2011] Redirect from the WAYF to the Discovery Service
Once the redirect from the WAYF to the Discovery Service is installed (Jan 12), support for the InCommon WAYF will be discontinued. See the FAQ below for details how to configure a Shibboleth SP to use the InCommon Discovery Service instead of the InCommon WAYF.
Try out the new InCommon Discovery Service: https://service1.internet2.edu/test
Send comments, feedback and questions to: discovery@incommon.org
Frequently Asked Questions
What is a "discovery service?"
Generally speaking, adiscovery serviceis a solution to theidentity provider discoveryproblem, a longstanding issue in the federated identity management space. As the term is used here, adiscovery serviceprovides a browser-based interface where a user selects his or her home organization (i.e., identity provider). A service provider uses this information to initiate SAML Web Browser SSO.
The phrase "Where Are You From?" (WAYF) is often used to characterize IdP discovery. Historically, the term "WAYF" has referred to both software and protocol. The WAYF software has all but been eliminated by newer discovery service implementations (such as the InCommon Discovery Service), but the WAYF protocol lives on, mainly for backwards compatibility with SAML V1.1.
In addition to the legacy WAYF protocol, a discovery service implements theSAML V2.0 Identity Provider Discovery Protocol. This protocol differs from the WAYF protocol in one very important respect. Whereas the WAYF protocol forwards an authentication request directly to the identity provider, theIdentity Provider Discovery Protocolreturns control to the service provider, which provides increased flexibility, privacy and security.
To learn how a discovery service works, the SWITCH federation has anexcellent series of demosthat describe and illustrate how a discovery service integrates into a typical SAML flow.
What is the InCommon Discovery Service?
TheInCommon Discovery Serviceis a deployment of theSWITCHwayfsoftware implementation, asoftware projectof the SWITCH federation.
IMPORTANT!The InCommon Discovery Service is apre-production test deploymentof the SWITCHwayf software implementation.
The InCommon Discovery Service will eventually replace the InCommon WAYF (Where Are You From?) with a Federation-wide discovery service that supports theSAML V2.0 Identity Provider Discovery Protocol and Profile. To ease the transition from the WAYF, the InCommon Discovery Service is backwards compatible with the InCommon WAYF.
Why is InCommon replacing the WAYF with the Discovery Service?
The current InCommon WAYF is not compatible with SAML V2.0 or Shibboleth 2.x. As Shibboleth 1.x is no longer supported by the Shibboleth Project, more organizations will be moving to Shibboleth 2.x. In addition, the production version of the InCommon Discovery Service will leverage metadata, providing additional flexibility, privacy and security that the InCommon WAYF does not provide.
Why is the InCommon Discovery Service a pre-production service at this time?
The user interface of the pre-production InCommon Discovery Service is experimental. The production service will incorporate the feedback received from the community during the pre-production phase.
The pre-production InCommon Discovery Service does not currently take advantage of Federation metadata. The production service will leverage Federation metadata to increase the flexibility, privacy and security of the deployment.
In this pre-production phase, there is no standby InCommon Discovery Service to fail over in case of an outage.
What does the InCommon Discovery Service look like?
Here's a recent screen shot of the InCommon Discovery Service:
Which SAML Service Provider implementations support the InCommon Discovery Service?
The InCommon Discovery Service works withallsupported versions of the Shibboleth Service Provider software. To use the nativeSAML V2.0 Identity Provider Discovery Protocol, Shibboleth SP version 2.0 (or later) is required.
The InCommon Discovery Service is known to work with simpleSAMLphp version 1.1 or later, but this has not been tested by InCommon.
There may be other SP implementations that support the InCommon Discovery Service. If you find one that does, please share your experiences with us (discovery@incommon.org).
If my SAML Service Provider implementation supports an "embedded discovery service," do I still need to be concerned about the InCommon Discovery Service?
The InCommon Discovery Service is a centralized discovery service for general use within the InCommon Federation. For those service providers that provide their own discovery service, through an embedded service or some other centralized service, the InCommon Discovery Service may not be applicable. How you handle discovery in conjunction with particular federated services at your institution is completely up to you.
That said, it is well known that embedded discovery provides the best overall experience for users, so you should by all means consider that as an alternative to centralized services such as the InCommon Discovery Service.
What do I need to do?
First and foremost, try it out and give us your feedback (discovery@incommon.org).
AllService Provider deployments should reconfigure their software to point at the InCommon Discovery Service instead of the InCommon WAYF. The latter will be phased out and retired early in 2011.
Consult the Shibboleth documentation for instructions how to configure a Shibboleth 2.x SPSessionInitiatorwith one or more discovery handlers. Once you've configured (and tested) your Shibboleth 2.x SP to use the InCommon Discovery Service, update your InCommon Federation metadata to include the
If you have any problems, drop us a line at discovery@incommon.org.
For More Information
- SWITCH demos http://www.switch.ch/aai/demo/
- SAML V2.0 Identity Provider Discovery Protocol and Profile http://wiki.oasis-open.org/security/IdpDiscoSvcProtonProfile
- Shibboleth 2.x SP SessionInitiator https://spaces.at.internet2.edu/display/SHIB2/NativeSPSessionInitiator