!!! Overview
In [SAML] the [Service providers|SP] need a way to determine which [Identity Provider (IDP)] in a [Circle of Trust] is used by a principal requesting [authentication]. 

Because [Circles of Trust|Circle of Trust] are configured without regard to their location, this function must work across DNS-defined domains. A [Common Domain] is configured, and a common domain cookie written, for this purpose.

The common domain cookie provides this [Discovery Mechanism].

Let's suppose a [Circle of Trust] contains more than one [Identity Provider (IDP)]. In this case, a [service provider|SP] trusts more than one [Identity Provider (IDP)] so, when a principal needs authentication, the [service provider|SP] with which the principal is communicating must have the means to determine the correct [Identity Provider (IDP)]. 

To ascertain a principal’s [Identity Provider (IDP)], the [service provider|SP] invokes a protocol exchange to retrieve the [Common Domain] cookie, a cookie written for the purpose of introducing the [Identity Provider (IDP)] to the [service provider|SP]. If no common domain cookie is found, the [service provider|SP] will present a list of trusted [Identity Provider (IDP)] from which the principal can choose. After successful authentication, the [Identity Provider (IDP)] writes (using the configured Writer Service URL) a common domain cookie and, the next time the principal attempts to access a service, the [service provider|SP] finds and reads the common domain cookie (using the configured Reader Service URL), to determine the [Identity Provider (IDP)]. 

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]