The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 40 Next »

The InCommon Discovery Service is now operational!

Here is a projected timeline for the deployment of the InCommon Discovery Service:

  1. [Wed, Nov 17, 2010] Pre-production Discovery Service released

  2. [Wed, Dec 15, 2010] New hot spare deployed in Indiana

  3. [Wed, Jan 5, 2011] Production Discovery Service to be released

  4. [Wed, Feb 2, 2011] InCommon WAYF to be taken out of service

Once a redirect from the WAYF to the Discovery Service is installed (on Feb 2), support for the InCommon WAYF will be discontinued. See the FAQ below for details how to configure a Shibboleth SP to use the InCommon Discovery Service instead of the InCommon WAYF.

Try out the new InCommon Discovery Service: https://service1.internet2.edu/test
Send comments, feedback and questions to: discovery@incommon.org

Frequently Asked Questions

What is a "discovery service?"

Generally speaking, a discovery service is a solution to the identity provider discovery problem, a longstanding problem in the federated identity management space. As the term is used here, a discovery service provides a browser-based interface where a user selects his or her home organization (i.e., identity provider). A service provider uses this information to initiate SAML Web Browser SSO.

The phrase "Where Are You From?" (WAYF) is often used to characterize identity provider discovery. Historically, the term "WAYF" has referred to both software and protocol. The WAYF software has all but been eliminated by newer discovery service implementations (such as the InCommon Discovery Service), but the WAYF protocol lives on, mainly for backwards compatibility with SAML V1.1.

In addition to the legacy WAYF protocol, a true discovery service implements the SAML V2.0 Identity Provider Discovery Protocol. This protocol differs from the WAYF protocol in one very important respect. Whereas the WAYF protocol forwards an authentication request directly to the identity provider, the Identity Provider Discovery Protocol returns control to the service provider, which provides increased flexibility, privacy and security.

To learn how a discovery service works, the SWITCH federation has an excellent series of demos that describe and illustrate how a discovery service integrates into a typical SAML flow.

What is the InCommon Discovery Service?

The InCommon Discovery Service is a deployment of the SWITCHwayf software implementation, a software project of the SWITCH federation.

IMPORTANT! The current InCommon Discovery Service is a pre-production test deployment of the SWITCHwayf software implementation.

The InCommon Discovery Service will eventually replace the InCommon WAYF (Where Are You From?) with a Federation-wide discovery service that supports the SAML V2.0 Identity Provider Discovery Protocol and Profile. To ease the transition from the WAYF, the InCommon Discovery Service is backwards compatible with the InCommon WAYF.

Why is InCommon replacing the WAYF with the Discovery Service?

The current InCommon WAYF is not compatible with SAML V2.0. As Shibboleth 1.x is no longer supported by the Shibboleth Project, more organizations will be moving to Shibboleth 2.x and expecting to make use of SAML V2.0 features. In addition, the InCommon Discovery Service will leverage metadata, providing additional flexibility, privacy and security that the InCommon WAYF does not provide.

Why is the InCommon Discovery Service a pre-production service?

The user interface of the pre-production InCommon Discovery Service is experimental. The production service will incorporate the feedback received from the community during the pre-production phase.

What does the InCommon Discovery Service look like?

Here's a recent screen shot of the InCommon Discovery Service:

Where can I try out the new InCommon Discovery Service?

Please visit this test page: https://service1.internet2.edu/test/

Which SAML Service Provider implementations support the InCommon Discovery Service?

The InCommon Discovery Service works with all supported versions of the Shibboleth Service Provider software. To use the native SAML V2.0 Identity Provider Discovery Protocol, Shibboleth SP version 2.0 (or later) is required.

The InCommon Discovery Service is also believed to work with simpleSAMLphp version 1.1 or later, but this has not been tested by InCommon.

There may be other SP implementations that support the InCommon Discovery Service. If you find one that does, please share your experiences with other InCommon participants (incommon-participants@incommon.org).

If my SAML Service Provider implementation supports an "embedded discovery service," do I still need to be concerned about the InCommon Discovery Service?

The InCommon Discovery Service is a centralized discovery service for general use within the InCommon Federation as a "service of last resort" for service providers that are for whatever reason unable to implement their own discovery solution.

For those service providers that implement their own discovery service, through an embedded service, a companion application/service, or some other centralized service, the InCommon Discovery Service is unlikely to be applicable or appropriate.

How you handle discovery in conjunction with particular federated services at is completely up to you. That said, it is well known that an embedded discovery service, or any kind of selection process integrated with your federated application, provides the best overall experience for users, and gives you the most flexibility in determining which choices of identity providers are offered to users. You should by all means consider that as an alternative to centralized services such as the InCommon Discovery Service.

What do I need to do?

If you implement discovery in the recommended way, without relying on the InCommon centralized version, you need do nothing.

Otherwise, first and foremost, try it out (https://service1.internet2.edu/test/) and give us your feedback (discovery@incommon.org).

ALL InCommon Service Provider deployments currently relying on the InCommon WAYF should reconfigure their software to point at the InCommon Discovery Service instead. The latter will be phased out and retired early in 2011.

Update your InCommon Federation metadata to include the <DiscoveryResponse> extension endpoints that are required to use the service with SAML V2.0 Web Browser SSO. Do this even if you don't plan on using SAML V2.0 any time soon.

Consult the Shibboleth documentation for instructions how to configure a Shibboleth 2.x SP SessionInitiator with one or more discovery handlers. Instructions how to configure your Shibboleth 2.x SP to use the InCommon Discovery Service will be found elsewhere in this FAQ.

How do I configure a Shibboleth 1.x SP to use the InCommon Discovery Service instead of the InCommon WAYF?

Note: As of June 30, 2010, Shibboleth 1.x is no longer supported by the Shibboleth Project, so you should upgrade your software as soon as possible.

A Shibboleth 1.x SP cannot take advantage of all the features of the new InCommon Discovery Service, so we recommend you upgrade your Shibboleth SP deployment as soon as you can. In the meantime, you can (and should) reconfigure your Shibboleth 1.x SP to use the InCommon Discovery Service instead of the InCommon WAYF. The latter will be phased out and retired early in 2011.

If you're already using the InCommon WAYF, you will find something like the following in your SP 1.x configuration file (shibboleth.xml):

shibboleth.xml (old)
<SessionInitiator id="wayf" Location="/WAYF/InCommon"
     Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
     wayfURL="https://wayf.incommonfederation.org/InCommon/WAYF"
     wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" />

To point your SP at the new Discovery Service endpoint, make the following configuration change:

shibboleth.xml (new)
<SessionInitiator id="wayf" Location="/WAYF/InCommon"
     Binding="urn:mace:shibboleth:sp:1.3:SessionInit"
     wayfURL="https://wayf.incommonfederation.org/DS/WAYF"
     wayfBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" />

Since the InCommon Discovery Service is backwards compatible with the InCommon WAYF, the above configuration should work exactly the same as before.

How do I configure a Shibboleth 2.x SP to use the InCommon Discovery Service instead of the InCommon WAYF?

In the very least, you should reconfigure your Shibboleth 2.x SP to use the InCommon Discovery Service instead of the InCommon WAYF. The latter will be phased out and retired early in 2011.

If you're already using the InCommon WAYF, you will find something like the following in your SP 2.x configuration file (shibboleth2.xml):

shibboleth2.xml (old)
<SessionInitiator type="WAYF" URL="https://wayf.incommonfederation.org/InCommon/WAYF" />

To point your SP at the new Discovery Service endpoint, make the following configuration change:

shibboleth2.xml (new)
<SessionInitiator type="WAYF" URL="https://wayf.incommonfederation.org/DS/WAYF" />

Since the InCommon Discovery Service is backwards compatible with the InCommon WAYF, the above configuration should work exactly the same as before.

How do I configure a Shibboleth 2.x SP to use the InCommon Discovery Service with the SAML V2.0 Identity Provider Discovery Protocol?

Important! The InCommon Discovery Service, and the use of SAML V2.0, depend on SP metadata, so update your metadata now, before you configure your Shibboleth 2.x SP to use the InCommon Discovery Service with the SAML V2.0 Identity Provider Discovery Protocol.

Assuming the specific <SessionInitiator> given below, the location of the return endpoint (i.e., the endpoint location at the SP that the DS returns to once the user's preferred IdP has been chosen) is:

https://host/Shibboleth.sso/Login

where host is the hostname of your SP. Simply login to the site admin web application, edit your SP's metadata, and add a <DiscoveryResponse> element with the above endpoint location.

You MUST also ensure that you have added SAML V2.0 endpoints and support to your metadata if your SP is configured to utilize SAML V2.0 (which it will be by default). Failure to do so will result in errors when SAML V2.0 requests are issued by the SP to Identity Providers in the federation that support SAML V2.0, because your metadata will indicate a lack of support for that protocol. Simply add an <AsssertionConsumerService> endpoint for the SAML V2.0 HTTP-POST Binding using the site admin web application.

Note: The InCommon Discovery Service is a pre-production test deployment, so we recommend you return your SP configuration to its original state after trying the sample configuration below. You can (and should) leave the <DiscoveryResponse> element and the SAML V2.0 changes in your metadata, however.

To use the InCommon Discovery Service with the SAML V2.0 Identity Provider Discovery Protocol, modify your SP 2.x configuration file (shibboleth2.xml) with something like this (the critical line is the second to last one containing "SAMLDS":

shibboleth2.xml (add)
<SessionInitiator type="Chaining" Location="/Login" id="Login" isDefault="true" relayState="cookie">
     <SessionInitiator type="SAML2"
        defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html" />
     <SessionInitiator type="Shib1" defaultACSIndex="5" />
     <SessionInitiator type="SAMLDS" URL="https://wayf.incommonfederation.org/DS/WAYF" />
</SessionInitiator>

If this is the first time your SP has been configured for SAML V2.0, you should test the configuration thoroughly of course. In particular, you should test with your IdP partners to insure that both IdP and SP have been configured for SAML V2.0 correctly.

For More Information

If you have any problems, drop us a line at discovery@incommon.org.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels