Let's introduce federations.org as a discovery service. Every Identity Provider that supports dynamic SAML may ping this directory with it's existence and provide metadata and taxonomy to enable good navigation possibility between the thousands of IdPs listed in this discovery service.
If every SP is doing it's own discovery service, the user would have to select IdP at every SP.
User visits service A, and have not yet selected any IdP.
If the user did not select "Other Idetity Provider (Federations.org)" at the Service A Disco page, but selected one of the listed identity providers at the disco service, we still would like to store that information at federations.org so other SPs can read it.
This would require that we add a new parameter to the SAML 2.0 Metadata discovery protocol that allows us to set already chosen entityIDs. The cookie can be set to federations.org (from service A disco service) by a hidden iframe similar to this:
<iframe style="display: none" src="http://disco.federations.org?isPassive=true&SetSPentityID=feide.no" /> |
The reason why you would like to use hidden iframes instead of HTTP redirection is that you would not introduce federations.org as a single point of failure.