Discovery | Configuring Discovery on SP
How to configure your service provider to use discovery depends on what SAML aware software product you use, and if you are using the embedded or standalone discovery.
Below are sample configurations of the most common setups our customers use.
Using the Cirrus SAML Proxy?
If you are using your SP with Cirrus's SAML proxy then you do not need to configure discovery on your SP. You configure your SP to use the proxy for authentication and the proxy will take care of showing the correct discovery interface when a user logins. See Shibboleth Configuration Examples for how to use the proxy.
If you are trying to customize the user experience for discovery at your SP when using proxy then view your options.
Using the Gateway directly?
If you are using Cirrus gateway directly with your SP then you can configure your SP to use the Cirrus discovery service.
Shibboleth supports configuring a discovery URL in the
<SSO> block inside
<SSO discoveryProtocol="SAMLDS" discoveryURL="https://apps.cirrusidentity.com/console/ds/index"> SAML2 SAML1 </SSO>
You simply provide a URL to the Cirrus discovery service and Shibboleth will add on any required query parameters.
SSP supports configuring a discovery URL in your SAML:SP authsource.
$config['my-sp'] = array( 'saml:SP', // A bunch of your configuration 'idp' => NULL, 'discoURL' => 'https://apps.cirrusidentity.com/console/ds/index', );
You set the 'discoURL' to the Cirrus discovery service and set 'idp' to null (or ensure it is not set)
Spring Security SAML
Spring security expects a non-standard query parameter name (idp instead of entityID )in the response from the discovery service. You will need to tell the discovery service to use this alternate name using the returnIDParam name.