3.6 Identity Provider Discovery
A discovery service is used to allow users to pick their own Home Organisation IdP.
Services and Endpoints
SWAMID has the following recommendation regarding Discovery Services:
URL | Protocol | Use |
|---|---|---|
| https://service.seamlessaccess.org/ds/ | SAML Discovery | Recommended for all services with users from SWAMID member organisations and interfederations |
| https://service.seamlessaccess.org/ds/?trustProfile=<profile> | SAML Discovery | Recommended for all services with users from SWAMID member organisations and interfederations that needs/want to filter IdP:s Requires additional configuration by adding profile in metadata.swamid.se, see below. |
QA
There is also a QA discovery service which can be used for test and pre-production use.
URL | Protocol | Use |
|---|---|---|
https://ds.qa.swamid.se/ds | SAML Discovery | Recommended for test and pre-production |
Adding Discover service
Shibboleth
In /etc/shibboleth/shibboleth2.xml update with selected URL in
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://service.seamlessaccess.org/ds/"> SAML2 </SSO>
and/or
<SessionInitiator type="SAMLDS" URL="https://service.seamlessaccess.org/ds/"/>
restart shibd
Satosa
In saml2_backend.yaml add or update disco_srv with selected URL
config:
.....
disco_srv: https://service.seamlessaccess.org/ds/
SimpleSAMLphp
Update config/authsources.php
$config = [
...
'default-sp' => [
....
'discoURL' => 'https://service.seamlessaccess.org/ds',
....
],
....
];
Filtering of Identity Providers in SeamlessAccess
Since 2025-03-12 service.seamlessaccess.org/ds/ have an option to filter which IdP:s that should be available. For more info see SeamlessAccess info-page.
To activate Identity Provider filtering you must add the filtering option to the Service Provider metadata and configure the same profile in your Service Prover configuration. SWAMID have made 2 profiles available in metadata.swamid.se.
Adding profile to Metadata of SP
- Login to metadata.swamid.se
- Create a Draft from your SP
- Click on the pen besides EntityAttributes
- Below entity-selection-profile select one of the profiles
- swamid - Registered in SWAMID
- edugain - Registered in SWAMID or imported from eduGAIN
- "Request publication"
Configure profile in Service Provider software
DiscoveryURL should be one of the following
- "https://service.seamlessaccess.org/ds/" - no filtering of Identity Providers.
- "https://service.seamlessaccess.org/ds/?trustProfile=swamid" - if you only want SWAMID IdP:s.
- "https://service.seamlessaccess.org/ds/?trustProfile=edugain" - if you only want eduGAIN or SWAMID IdP:s.
Example of using SWAMID only filtering in Shibboleth:
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://service.seamlessaccess.org/ds/?trustProfile=swamid"> SAML2 </SSO>