christianfelicite
commented
3 years ago https://docs.spring.io/spring-security-saml/docs/1.0.x/reference/html/configuration-sso.html
9.1 IDP selection and discovery Discovery helps your Service Provider determine which Identity Provider should be used for authentication of the current user. It is automatically initialized during calls to single sign-on endpoint at scheme://server:port/contextPath/saml/login. SAML Extension supports multiple modes of discovery including the Identity Provider Discovery Service Protocol and Profile.
IDP discovery modes can always be skipped during SSO initialization by specifying HTTP request parameter idp with the entityId of the required IDP, e.g. scheme://server:port/contextPath/saml/login?idp=mySelectedIDP.
The URL where local SP expects discovery response can be included in the SP metadata as one of the extensions. The feature can be enabled by setting property includeDiscoveryExtension to true on bean MetadataGenerator inside MetadataGeneratorFilter, e.g.:
Default IDP without discovery The mode is enabled by default and automatically selects the default IDP without performing discovery.
The default IDP can be configured using property defaultIDP on bean metadata in the Spring Security configuration. In case the property isn't set, system will automatically use the first available IDP.
Local discovery service SAML Extension includes a local IDP discovery service which presents user with an IDP selection page. This mode can be enabled by setting property includeDiscovery in the local SP extended metadata to true.
The selection page can be customized using property idpSelectionPath on bean samlIDPDiscovery. System forwards to this page wih a discovery request which includes the following request attributes:
idpDiscoReturnURL - URL to send the IDP selection result to using GET action
idpDiscoReturnParam - name of the GET parameter to include the entity ID of the selected IDP
See the default implementation in sample/src/main/webapp/WEB-INF/security/idpSelection.jsp for an example.
Remote discovery service In order to enable external IDP discovery service configure property idpDiscoveryURL in your local SP extended metadata to the external discovery URL. Make sure property idpDiscoveryEnabled is set to true. The remote discovery service needs to support the Identity Provider Discovery Service Protocol and Profile.
The system that manages the identity information of the users, including user name, password and other crucial data.