Serving multiple IDP from ApplicationOverride SP setup

Cantor, Scott cantor.2 at
Tue Sep 16 17:57:28 EDT 2014

On 9/16/14, 5:45 PM, "Randy Wiemer" <wiemerr at> wrote:

>There is a competing view that holds that the discovery service process
>is cumbersome, especially as the number and diversity of IdPs grows, and
>therefore implementing your service in a manner that avoids the need to
>involve the user in the discovery process
> is a reasonable strategy.

I'm aware of the competing view, and unfortunately it doesn't solve the
problem to pretend there isn't a problem.

>Many SAAS vendors accomplish this by having dedicated URLs for each IdP.

Which precludes federation, as I said. You can only present this as a
competing alternative if it actually solves the problem. That model is

>Another common strategy is to prompt for the username which contains a
>domain part and then redirect to the IdP based on the domain part of the

Yes, and that's a discovery interface, probably the eventual one that wins
out, it just has the problem that it's not privacy preserving, which is a
limitation for some applications, though not most.

-- Scott

More information about the users mailing list