A SAML Discovery Service allows users to select any Identity Provider in the federation. The benefit of using a common Discovery Service is that users will see same list of Identity Providers regardless which service is being accessed.
Note: contact the Federation Operator for appropriate SAML Discovery Service URL.
When enabling SAML Discovery Service, the Service Provider will redirect the user to the Discovery Service, that presents a list of Identity Providers. The user selects preferred Identity Provider and the Discovery Service returns selected Identity Provider to the Service Provider. The Service Provider will validate the response and figure out to which Identity Provider the authentication request should be sent.
Follow these steps to enable use of a SAML Discovery Service:
Add, or edit a SAML Federation with SAML Role Service Provider enabled
Select tab "Export"
Check "Discovery Enabled" and enter correct URL to the Discovery Service
Save the SAML Federation when done, then click publish.
After performing these steps, the Service Provider will now provide SAML Discovery.
The user can now click on the SAML Discovery link in the login page. The name of the SAML Federation is used as link-text. If the login page has only one authentication method, e.g. SAML Discovery, then it is automatically used and the user does not need to click on the link.
Note: when protecting a web resource with a specific Identity Provider in a SAML Federation that has SAML Discovery enabled, the SAML Discovery flow is not used.
Note: when not using SAML Discovery the Service Provider will present a list of all enabled Identity Providers in the federation.