Identity Discovery

Could someone please describe in easy to undertand terms what Identity Discovery is (I am asking in context of SAML)

Anthony LuciaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brad GrouxSenior Manager (Wintel Engineering)Commented:
SAML is an open and widely accepted single sign on (SSO) protocol. It works cross-platform, cross-system and cross-browser so it is therefore easily the most popularly used SSO protocol. Microsoft utilizes it in Active Directory Federated Services as an example.

The Identity Provider Discovery Profile allows for modern browsers to query the Identity Provider initially, so it knows who the Identity Provider is. The process is cookie-based. Microsoft describes it HERE -

Both TFIM and AD FS 2.0 support the SAML IdP Discovery Profile ( which provides standards-based cookie mechanism to determine a user’s IdP during SP-initiated SSO, when no IdP is otherwise explicitly stated. This contrasts with the default approach used in both products, where users self-select their IdP from a home realm discovery (AD FS 2.0) or “Where Are You From” (TFIM) web page.

Use of the IdP Discovery Profile requires the use of a common domain. IdP partners use this domain to write common domain cookies (CDC) using a CDC-writing service, while SP partners read those cookies using a CDC reading service.

AD FS 2.0 provides CDC writer and reader applications a folder called CDC.Web in the AD FS 2.0 application installation folder. To configure SAML IdP discovery in TFIM, select Identity Provider Discover form the SAML 2.0 Profile Details page in the Federation Wizard.

Wikipedia explains the IdPDiscovery here -

Basically discovery makes it much easier for users and browsers to access the SAML connection that they'd like to federate with. It is a secure process because regardless of who accesses the Identity Provider, if they don't have rights to pass through the Identity Provider - then they don't gain access.

With Windows, Active Directory is the Identity Provider so if a user hits the Identity Provider and can't pass authentic AD credentials to it, they won't gain access.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.