PingFederate's proprietary identity provider (IdP)-discovery method makes use of an IdP persistent reference cookie (IPRC) to track the identity provider with whom a user last authenticated.
There are three significant differences between standard IdP discovery and the IPRC method:
- Standard IdP discovery can be used only with SAML 2.0, but the IPRC can be used with any federation protocol.
- The common domain cookie (CDC) can be configured as a temporary, session-based cookie. The IPRC always persists for a configurable period of time.
- The CDC is set by the IdP and is readable by both federation partners. The IPRC is set by the service provider (SP), using information in the SAML assertion, and cannot be accessed by the IdP.
The deployed connection configuration between SP and IdP partners must include SP-initiated single sign-on (SSO).