« Mamma Mia! It's ABBA... | Main | HELP! Review OpenSSO... »
Thursday Aug 07, 2008

Discovering and Setting (On Fire?) Preferred Identity Providers

Here is additional information on the Identity Provider Discovery Service. Discovering the SAMLv2 IDP Discovery Service and the Discovery LP has general information and the procedure for setting up and testing the Identity Provider Discovery Service. Here is the process to set a preferred identity provider.

NOTE: spSSOInit.jsp is used to initiate single sign-on from the service provider side. On receiving a request for access, spSSOInit.jsp verifies that the required parameters are defined. See the Sun Java System SAML v2 Plug-in for Federation Services User's Guide for more information.

  1. A user accesses spSSOInit.jsp to initiate single sign-on on the service provider side, and passes to it the value of the idpEntityID parameter.

    The value is the entity identifier of the identity provider to which the request should be sent.

  2. The service provider retrieves the identity provider's single sign-on service URL using the value of the idpEntityID and redirects the user to it.

  3. Assuming the user is not authenticated, the identity provider prompts the user for credentials.

    >If the Identity Provider Discovery Service is configured, the user will be redirected to the Identity Provider Discovery Service Writer Service URL with the identity provider information. The Discovery Service Writer Service URL sets the common domain cookie.

  4. The Identity Provider Discovery Service Writer Service URL sets the cookie with the identity provider information and redirects the user back to the identity provider's single sign-on service URL.

    The preferred identity provider is now set.

  5. The identity provider's single sign-on service URL completes the single sign-on process.

Here is the process when discovering a preferred identity provider.

  1. A user accesses spSSOInit.jsp to initiate single sign-on on the service provider side and one of the following occurs:

    • If the value of idpEntityID is passed, the identity provider will be contacted directly. See the previous procedure.

    • If there is no value for idpEntityID but the Identity Provider Discovery Service is configured, the user will be directed to the Reader Service URL to retrieve the preferred identity provider's entity identifier. In this case, the RelayState parameter points back to spSSOInit.jsp.

  2. The Identity Provider Discovery Service Reader Service URL checks for an identity provider discovery cookie and, if set, extracts the preferred identity provider, returning the information as a query parameter in the relay state URL.

  3. spSSOInit.jsp checks for the preferred identity provider in the returned URL.

    • If the preferred identity provider is set, the request is sent to it for single sign-on.

    • If the preferred identity provider is not set, an error is displayed stating this.
Whewww, that was hot! But not as hot as the 5000 Volts song (with an uncredited Tina Charles singing lead), I'm On Fire. Was there ever anything as remotely entertaining as disco? (Don't answer that if you are going to be mean.)

Posted at 09:02AM Aug 07, 2008 by Michael Teger in Sun  |  Comments[0]

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed