Identity Provider selection - kmd-identity/documentation GitHub Wiki

Introduction

KMD Identity uses cookies to maintain relation between Service Provider and Identity Provider.

During the authentication, the user is asked to choose from a list of available Identity Providers on a Home Realm Discovery (HRD) page. KMD Identity then creates a cookie to remember this choice.

Next time the user is presented with the HRD page, the previously selected Identity Provider will be automatically selected on the list of available Identity Providers.

Moreover the user can decide to automatically navigate to the selected Identity Provider by marking the checkbox on the HRD page. With this checkbox set the user won't see the HRD page during future authentications.

About the mechanism:

• Selection is per Service Provider, that means KMD Identity can remember different Identity Providers for different Service Providers
• Selection will be dropped when the user is inactive for more than 30 days
• Selection is not maintained across different browsers (it's based on cookies)
• When domain_hint is specified, then above logic is skipped

Clearing the cookies

There can be a situation, when user wants to change Identity Provider, but cannot do that as the HRD page is not shown. This can happen when user marked the checkbox to remember selected Identity Provider.

There is a special mechanism for clearing the cookies in KMD Identity.

For users

Navigate to https://identity.kmd.dk/clearidpcookie?service_provider_id=all endpoint and that's all.

This will reset selection of Identity Providers across all Service Providers. If you want to clear cookies for a specific Service Provider then look at the next section.

For Service Providers

Navigate to https://identity.kmd.dk/clearidpcookie?service_provider_id=ENTITY_ID_OR_CLIENT_ID endpoint. Replace ENTITY_ID_OR_CLIENT_ID with EntityID of SAML Relying Party or client_id of OpenId application - depending on what protocol Service Provider is using towards KMD Identity.