Discovery Service

[Cantor, Scott]

On 8/9/13 4:38 PM, "Nate Klingenstein" <ndk at internet2.edu> wrote:

>If you have your URL space partitioned by IdP, then you should just send
>the user back to their IdP without prompting them to tell you where
>they're from -- you already know that, implicitly, because there's only
>one valid choice.  Just supply the IdP's entityID to the session
>initiation mechanism.
>
>It's the cross-realm collaborative apps that really need to do discovery,
>and if you were in that situation, the EDS would be a nice approach.

One caution: even with the cross-realm cases, there is intense pressure to
skip discovery because of the limited use of cross-realm access as
compared to access by users from the primary IdP.

This is a self-fulfilling approach since it guarantees cross-realm will be
poorly implemented.

A good way to satisfy people obsessing over an extra click for discovery
is to force the primary org to drive users through a dedicated link to
bypass discovery while still allowing "general" access directly to the SP
to offer discovery.

Most users in reality will not use the "special" link, but the people
obsessed with the issue can fool themselves into thinking so.

-- Scott