Show TOC

Influencing the Identity Provider Used by the Service ProviderLocate this document in the navigation structure

Use

A service provider can trust multiple identity providers. Different applications can require different identity providers. A service provider requires the means to discover which identity provider it should use. Use this procedure to influence to which trusted identity provider a service provider sends the client.

You can either enable the user to select the identity provider to use or you can configure an automatic means of identity provider discovery.

  • For manual section the service provider provides the names of the trusted identity providers and prompts the user to choose one.

  • For automatic identity provider discovery, the service provider chooses an identity provider based on the following criteria in order:

    1. Use the identity provider from an existing SAML session, SAML response, or SAML artifact response.

    2. Use the identity provider specified in a URL parameter.

    3. Use the identity provider in a common domain cookie.

      If the access to identity provider discovery service is enabled, the service provider checks the services in the following order.

      1. Use the trusted and enabled identity provider last visited as returned by the local identity provider discovery service in the local domain.

        The local identity provider discovery service uses the last entry in the common domain cookie and only if HTTPS is the protocol.

      2. Use the trusted and enabled identity provider last visited as returned by the external identity provider discovery service in the common domain.

        The entry used in the common domain cookie depends on the external identity provider discovery service.

      For more information, see Common Domain and Identity Provider Discovery.

    4. Use the default identity provider.

Procedure

Choosing the Identity Provider Discovery Mode

  1. Start the SAML 2.0 configuration application (transaction SAML2).

  2. On the Local Provider tab, choose the Service Provider Settings tab.

  3. Choose the Edit pushbutton.

  4. Under Identity Provider Discovery enter one of the following in the Selection Mode field:

    • Manual (default)

    • Automatic

  5. Save your entries.

  6. Make the following configurations or developments based on the selection mode:

    • Manual

    • Automatic

Configuring the Names in the Manual Selection

Configure the names of the identity providers that the service provider displays to users. Use names for the identity providers that your users can recognize.

  1. Start the SAML 2.0 configuration application (transaction SAML2).

  2. On the Trusted Providers tab, select an identity provider and choose the Edit pushbutton.

  3. Enter a name in the Alias field.

  4. Save your entries.

Customizing and Configuring for Automatic Selection

Select a default identity provider and make any custom developments to ensure that the user agent receives a URL parameter or common domain cookie.

Selecting an Identity Provider by URL Parameter

Develop your applications to ensure links to the protected application use the following syntax:

<application_ URL> ?saml2idp= <identity_ provider_ name>

Selecting an Identity Provider by Common Domain Cookie

  1. Configure the target identity provider to issue a common domain cookie (CDC) in the same domain as your service provider for an internal identity provider discovery service or in the common domain for an external identity provider discovery service.

    For more information, see the documentation of your identity provider vendor.

  2. Start the SAML 2.0 configuration application (transaction SAML2).

  3. On the Local Provider tab, choose the Service Provider Settings tab.

  4. Choose the Edit pushbutton.

  5. Under Identity Provider Discovery, enable the internal or external CDC service. You can enable both.

    If you enable the CDC external service, enter the URL of the service.

  6. Save your entries.

  7. Ensure that the user agent visits the identity provider before accessing the service provider.

    Perhaps the identity provider is a portal for different service providers.

  8. Ensure that the client connects to the provider using Secure Sockets Layer (SSL).

    Without SSL the client does not evaluate the CDC.

Setting the Default Identity Provider

  1. Start the SAML 2.0 configuration application (transaction SAML2).

  2. On the Trusted Providers tab, select an identity provider and choose the Edit pushbutton.

  3. Select the Default radio button.

  4. Save your entries.