The InCommon Discovery Service is a centralized discovery service for general use within the InCommon Federation. For those service providers that provide their own discovery service, through an embedded service or some other centralized service, the InCommon Discovery Service may not be applicable. How you handle discovery in conjunction with particular federated services is completely up to you, but it is strongly recommended that you address discovery within or in conjunction with each service provider or application, if at all possible. This provides a better, more tailored user experience.
To use the InCommon Discovery Service, configure your software to point at the following location:
https://wayf.incommonfederation.org/DS/WAYF (test)
See the wiki for technical details how to configure your software and metadata for discovery.
SAML Web Browser SSO was first introduced in SAML version 1.1. The only browser flow officially documented in the SAML V1.1 profiles was an IdP-initiated flow. This led to the Shibboleth 1.x AuthnRequest protocol, a proprietary extension to SAML V1.1. Today, standard SAML V2.0 includes a greatly enhanced AuthnRequest message such that a typical SAML V2.0 browser flow begins with a request at the service provider. Although this provides greater flexibility, SP-initiated flows naturally give rise to the so-called identity provider discovery problem, a longstanding problem in the federated identity management space. Indeed, discovery is still the focus of much research today.
Generally speaking, a discovery service is a solution to the identity provider discovery problem. As the term is used here, a discovery service provides a browser-based interface where a user selects his or her preferred identity provider. A service provider (or a proxy acting on behalf of a service provider) uses this information to initiate SAML Web Browser SSO.
Early on, the Shibboleth Project pioneered the use of a "Where Are You From?" (WAYF) service for identity provider discovery. The WAYF service was based on the proprietary AuthnRequest protocol mentioned above. Even today, the phrase "Where Are You From?" is generally used to characterize identity provider discovery.
Historically, the term "WAYF" has referred to both software and protocol. The WAYF software has all but been eliminated by newer discovery service implementations, but the WAYF protocol lives on, mainly for backwards compatibility with SAML V1.1.
The original WAYF was a centralized discovery service, usually operated by a federation. Historically, as experience with identity provider discovery grew, these centralized discovery services gave way to so-called embedded discovery services, that is, discovery services more closely associated with (and often built into) SAML service provider implementations (such as simpleSAMLphp and AD FS 2.0). It is generally believed that an embedded discovery service provides the best overall experience for users.
https://spaces.internet2.edu/display/InCCollaborate/InCommon+Discovery+Service
This page last updated December 31, 2010
Email any questions to:
info AT incommon DOT org
© Copyright 2004-2011 InCommon, LLC. All Rights Reserved.
InCommon
is operated by Internet2.
Participation in InCommon is separate and distinct from membership in Internet2.