Common Domain for Identity Provider Discovery


In SAML the Service providers need a way to determine which Identity Provider (IDP) in a Circle of Trust is used by a principal requesting authentication.

Because Circles of Trust are configured without regard to their location, this function must work across DNS-defined domains. A Common Domain is configured, and a common domain cookie written, for this purpose.

The common domain cookie provides this Discovery Mechanism.

Let's suppose a Circle of Trust contains more than one Identity Provider (IDP). In this case, a service provider trusts more than one Identity Provider (IDP) so, when a principal needs authentication, the service provider with which the principal is communicating must have the means to determine the correct Identity Provider (IDP).

To ascertain a principal’s Identity Provider (IDP), the service provider invokes a protocol exchange to retrieve the Common Domain cookie, a cookie written for the purpose of introducing the Identity Provider (IDP) to the service provider. If no common domain cookie is found, the service provider will present a list of trusted Identity Provider (IDP) from which the principal can choose. After successful authentication, the Identity Provider (IDP) writes (using the configured Writer Service URL) a common domain cookie and, the next time the principal attempts to access a service, the service provider finds and reads the common domain cookie (using the configured Reader Service URL), to determine the Identity Provider (IDP).

More Information#

There might be more information for this subject on one of the following: