Identity Discovery

Posted on 2014-08-18
Last Modified: 2014-08-18
Could someone please describe in easy to undertand terms what Identity Discovery is (I am asking in context of SAML)

Question by:Anthony Lucia
    1 Comment
    LVL 14

    Accepted Solution

    SAML is an open and widely accepted single sign on (SSO) protocol. It works cross-platform, cross-system and cross-browser so it is therefore easily the most popularly used SSO protocol. Microsoft utilizes it in Active Directory Federated Services as an example.

    The Identity Provider Discovery Profile allows for modern browsers to query the Identity Provider initially, so it knows who the Identity Provider is. The process is cookie-based. Microsoft describes it HERE -

    Both TFIM and AD FS 2.0 support the SAML IdP Discovery Profile ( which provides standards-based cookie mechanism to determine a user’s IdP during SP-initiated SSO, when no IdP is otherwise explicitly stated. This contrasts with the default approach used in both products, where users self-select their IdP from a home realm discovery (AD FS 2.0) or “Where Are You From” (TFIM) web page.

    Use of the IdP Discovery Profile requires the use of a common domain. IdP partners use this domain to write common domain cookies (CDC) using a CDC-writing service, while SP partners read those cookies using a CDC reading service.

    AD FS 2.0 provides CDC writer and reader applications a folder called CDC.Web in the AD FS 2.0 application installation folder. To configure SAML IdP discovery in TFIM, select Identity Provider Discover form the SAML 2.0 Profile Details page in the Federation Wizard.

    Wikipedia explains the IdPDiscovery here -

    Basically discovery makes it much easier for users and browsers to access the SAML connection that they'd like to federate with. It is a secure process because regardless of who accesses the Identity Provider, if they don't have rights to pass through the Identity Provider - then they don't gain access.

    With Windows, Active Directory is the Identity Provider so if a user hits the Identity Provider and can't pass authentic AD credentials to it, they won't gain access.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Viewers will learn about basic arrays, how to declare them, and how to use them. Introduction and definition: Declare an array and cover the syntax of declaring them: Initialize every index in the created array: Example/Features of a basic arr…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now