If your SAML Service Provider (SP) in the Switch edu-ID federation accepts users from multiple Identity Providers (IdPs) and does not use the extended attribute model, you need to configure a Discovery Service. This is an overview about the different options available and which option best fits which needs (slides).
A Discovery Service lets end users choose the IdP of their organisation where they can authenticate.

0. Special case: Single IdP only

If users authenticated only at a single IdP, they can be sent directly to this IdP. For the Shibboleth Service Provider this can be configured by setting the entitiyID of this IdP inside the shibboleth2.xml.

<SSO entityID="https://aai-demo-idp.switch.ch/idp/shibboleth">
	SAML2
</SSO>

If the service is accessed by users from multiple IdPs, direct login links or a Discovery Service are needed to let users select their home organisation.

Creating direct Login URLs for every IdP is a simple solution, but only scales well for a handful of IdPs. Beyond that, it gets too laborious and error prone. Best try our Login Link Composer to generate direct login links. Then use the generate links for login buttons, ideally together with the organisation's logo that you also find in the AAI Resource Registry for all organisations.

The central WAYF was the first discovery service for the Switch edu-ID federation. It has been constantly improved and enhanced since 2005. When installing a Shibboleth Service Provider according to our installation and configuration guide, the WAYF is already pre-configured in the shibboleth2.xml file with the following lines:

<SSO discoveryProtocol="SAMLDS"
	discoveryURL="https://wayf.switch.ch/SWITCHaai/WAYF" >
    SAML2
</SSO >

There are several reasons one should prefer the embedded WAYF over the central WAYF:

• The look and feel of the central WAYF cannot be adapted, but the embedded WAYF is fully customizable.
• IdPs can easily be hidden to e.g. list only relevant IdPs. This is especially useful for interfederation-enabled services that dont want to list all thousands of eduGAIN Identity Providers but only a few selected ones.
• Integrate the discovery service directly into your web page instead of redirecting the user to the central discovery page.

The Shibboleth EDS is very simular to the Embedded WAYF. The only advantage is that EDS is not dependent on a central server. But the downside of having no central server is that you cannot cache the previously selected IdP across multiple service providers as their cookies have different domain attributes.

The SeamlessAccess.org is a community-driven Discovery Service service that was partially developed by the GÉANT project together with publishers, NISO, ORCID and Internet2. It is easy to integrate, easy to use and generally well-suited for interfederation use-cases.