The Security Assertion Markup Language (SAML) 2.0 service provider uses common domain cookies (CDC) to determine to which identity provider the service provider should send a request. The common domain is the domain where the CDC resides. This common domain is known to both the identity provider and the service provider. Identity providers identify themselves to a service provider by writing their alias into the CDC. The service provider of SAP NetWeaver Application Server reads the alias from the CDC. This service provider includes an internal read service for identity provider discovery. It can also use an external read service. When enabled, these services read CDCs to help the service provider determine which identity provider to use. When to use the external and internal read services depends on your network architecture.
If the service provider shares the same domain with the common domain, use the internal service.
If the service provider exists in a different domain from the common domain, use the external service.
For more information, see Influencing the Identity Provider Used by the Service Provider .
Common Domain is the Shared Domain
The figure below illustrates a service provider and an identity provider sharing the same domain. The identity provider writes its alias to a CDC in the shared domain using domain relaxing to remove its host name. The internal read service of the service provider can read the CDC because it shares the same domain.
Common Domain is a Different Domain
The figure below illustrates a service provider and an identity provider in two different domains. The operators of both providers have agreed on a common domain for the CDC at itelo.biz. The identity provider writes its alias to the CDC in the common domain. The service provider calls an external read service within the common domain to read the CDC. The external read service of the service provider can read the CDC because the read service shares the same domain with the CDC.