IDP Selection and discovery helps your Service Provider determine which Identity Provider should be used for authentication of the current user. Access Manager supports IDP discovery through “Use Introductions”. When Introductions are configured, it allows users to select an identity provider from a list of introducible identity providers. https://www.netiq.com/documentation/access-manager-42/admin/data/b1ax6f15.html#bmpx02e In some cases this approach might not be viable, in those scenarios custom IDP discovery service might be useful.
Issue
When common domain and introductions are not viable User has to select authentication cards, but every time user has to select his IDP external authentication contract it is not a user friendly approach in some of the scenarios. Showing a list of IDPs and remember user selection might be a good and easy way to solve this issue.
Solution
NAM will present a list of available IDPs the user can select and save that selection to the client browser, next the user will not see this IDP selection page, the user will be redirected to his/her choice of IDP. The following solution is based on NAM 4.2 and above.
Copy the JSP file to NAM IDP JSP folder location /opt/novell/nam/idp/webapps/nidp/jsp
Login to middle IDP/SP Admin Console
Create authentication method using existing class for example name/password class
Navigate to Local - Methods - New
Select class and fill required configuration as per NAM documentation
Add custom JSP property as JSP=<JSPNAME without JSP extension created above> g, JSP =idp_discover.jsp
Create contract based on method created above.
Make this as default contract. Assumption, remain all AG protected will have contract as authentication.
Update IDP
Destination IDP configuration:
Login to destination IDP’s Admin Console login
At final target application modify SAML2 federation SAML2 à SP config à Intersite Transfer Service à allow any target or add IDP URL
Update IDP
Test NAM’s Custom IDP discovery service
Create test setup installing multiple NAM IDP instances or any other IDP’s
IDP2 IDP1/SP1 SP2
Access SP2 (service provider) SAML request will be sent to middle IDP where IDP custom discovery service will show up.
Select destination IDP, and select remember me check box and submit request, This will redirect request to destination IDP2
Authenticate test user at IDP2 and request will follow to IDP1/SP1, authenticated session is created at middle IDP and it posts the saml2 response to SP2.
UPDATE:
To make non-HTML5 browser compatibility download another zip file IDP discover by cookie (works with nam 4.2 and above)
modifications added from old jsp:
IDP list is added dynamically no need to construct idpsend url.
User selection of IDP is stored to cookie on browser
User selection of IDP value available in cookie, it shows redirect to IDP for authentication with time delay of 5 seconds, user has option to cancel this auto redirection and select new IDP
User can erase cookie value by clicking cancel on auto redirection message and deselect remember me, select IDP and submit.