[Webinar] Learn how to a build a cloud-first strategyRegister Now


Identity Discovery

Posted on 2014-08-18
Medium Priority
Last Modified: 2014-08-18
Could someone please describe in easy to undertand terms what Identity Discovery is (I am asking in context of SAML)

Question by:Anthony Lucia
1 Comment
LVL 14

Accepted Solution

Brad Groux earned 2000 total points
ID: 40268619
SAML is an open and widely accepted single sign on (SSO) protocol. It works cross-platform, cross-system and cross-browser so it is therefore easily the most popularly used SSO protocol. Microsoft utilizes it in Active Directory Federated Services as an example.

The Identity Provider Discovery Profile allows for modern browsers to query the Identity Provider initially, so it knows who the Identity Provider is. The process is cookie-based. Microsoft describes it HERE -

Both TFIM and AD FS 2.0 support the SAML IdP Discovery Profile (http://go.microsoft.com/fwlink/?LinkId=210334) which provides standards-based cookie mechanism to determine a user’s IdP during SP-initiated SSO, when no IdP is otherwise explicitly stated. This contrasts with the default approach used in both products, where users self-select their IdP from a home realm discovery (AD FS 2.0) or “Where Are You From” (TFIM) web page.

Use of the IdP Discovery Profile requires the use of a common domain. IdP partners use this domain to write common domain cookies (CDC) using a CDC-writing service, while SP partners read those cookies using a CDC reading service.

AD FS 2.0 provides CDC writer and reader applications a folder called CDC.Web in the AD FS 2.0 application installation folder. To configure SAML IdP discovery in TFIM, select Identity Provider Discover form the SAML 2.0 Profile Details page in the Federation Wizard.

Wikipedia explains the IdPDiscovery here - http://en.wikipedia.org/wiki/SAML_2.0#Identity_Provider_Discovery_Profile

Basically discovery makes it much easier for users and browsers to access the SAML connection that they'd like to federate with. It is a secure process because regardless of who accesses the Identity Provider, if they don't have rights to pass through the Identity Provider - then they don't gain access.

With Windows, Active Directory is the Identity Provider so if a user hits the Identity Provider and can't pass authentic AD credentials to it, they won't gain access.

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses
Course of the Month20 days, 10 hours left to enroll

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question