Re: [saml-dev] returning multiple IdP entityIDs to the SP

[Tom Scavo <trscavo@gmail.com>]

Thanks for answering my previous questions, Scott. I should probably
let this go but perhaps there's some value (to me, at least) if we dig
a little deeper.

On Fri, Aug 17, 2012 at 8:42 PM, Cantor, Scott <cantor.2@osu.edu> wrote:
>
> And, that's what a discovery service *is*.

I assume you mean a discovery service is precisely the default
behavior you've specified in the profile
(urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol:single).
Is that what you meant?

If so, then let me ask: Suppose there were a 3rd party service that
returned a list of the user's IdPs (i.e., the value of the "_saml_idp"
cookie as defined in SAML2Prof). Would you call that a "discovery
service"?

> If an SP wants to do discovery
> itself, it doesn't need this profile to do it.

That statement is a little strong, I think. An SP that wants to do
discovery itself can still benefit from a 3rd party service that knows
about the user's global behavior. In that case, your profile could be
used passively to obtain this information, which presumably would be
used to optimize the UI at the SP.

Tom