--- title: Configuring IdP discovery using a persistent cookie description: PingFederate's proprietary identity provider (IdP)-discovery method makes use of an IdP persistent reference cookie (IPRC) to track the identity provider with whom a user last authenticated. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_config_idp_discov_using_persis_cookie canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_idp_discov_using_persis_cookie.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: about-this-task: About this task steps: Steps --- # Configuring IdP discovery using a persistent cookie PingFederate's proprietary identity provider (IdP)-discovery method makes use of an IdP persistent reference cookie (IPRC) to track the identity provider with whom a user last authenticated. ## About this task There are three significant differences between standard IdP discovery and the IPRC method: * Standard IdP discovery can be used only with SAML 2.0, but the IPRC can be used with any federation protocol. * The common domain cookie (CDC) can be configured as a temporary, session-based cookie. The IPRC always persists for a configurable period of time. * The CDC is set by the IdP and is readable by both federation partners. The IPRC is set by the service provider (SP), using information in the SAML assertion, and cannot be accessed by the IdP. The deployed connection configuration between SP and IdP partners must include SP-initiated single sign-on (SSO). ## Steps 1. Edit the `org.sourceid.websso.profiles.sp.IdpIdCookieSupport.xml` file located in the `/pingfederate/server/default/data/config-store` directory. 2. Set the value of `EnableIdpIdCookie` to `true`. 3. (Optional) Modify the remaining elements in the configuration, as described in the following table. | Field | Description | | ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **IdpIdCookieName** | The name of the IPRC set by the SP installation. The default is `IdPId`. The cookie name cannot contain any of the following characters: `&`, `>`, `<`, `;` , a comma, or a space. | | **IdpIdCookieLifeTimeInDays** | The lifetime for the cookie. The default is `365` days and a maximum of `24855` days. The browser will delete the cookie when the period is expired. | | **ShowIdpSelectionList** | If set to `true`, the default, the SP displays a list of IdPs that can be used to initiate the SSO event if the cookie is not set. If set to `false`, the SP installation generates an error page. | 4. Start or restart PingFederate. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | After an IPRC cookie is set, the only way to change the IdP to whom the SP will send Authentication Requests for the user is to do one of the following: wait for the cookie to expire, delete the cookie, or perform IdP-initiated SSO using the new IdP. |