What is an Identity Provider (IDP)? IDP – is a federation entity that performs authentication and issues user attributes. IDP guarantees user identity assurance and transfers user attributes to the SP. Identity provider either authenticates a user directly, validating his username and password, or indirectly - validating a request from other issuer about user's identity. IDP performs user identity management role, whereas SP wouldn't have to deal with that.

What is a Service Provider (SP)? SP – is an attribute consuming federation entity, which provides a certain service to federation users. SP does not perform user authentication. It performs user authorization according to attributes received from the IDP. Service providers trust the information received from identity provider. Service providers can locally store user's account with unique attributes for that service.

Federation Discovery service purpose is to help user find his institution's identity provider. This service connects single sign-on systems of federation institutions and service providers participating in the federation. Discovery service does not store any information related to user identification.

SimpleSAMLphp module 'discopower' was used to set up the Discovery service. Discopower module has a user-friendly interface, where presented IDP list is complemented with search field. This feature will become very relevant when federation expands and IDP list become really long. Search is live with immediate response and incremental - results change as you type. Discovery service memorizes user's choice of an IDP and the next time he/she signs-in that IDP is marked with a special symbol. There is also a possiblity to show an institutional logo or icon alongside each IDP entity, so it would be easier to spot the IDP. If the IDP list becomes very long, Discovery service has a possibility to show the IDP list grouped in different tabs. Grouping can be done by different criteria - institution, region, country, or any other.