3.1.5.3.3 Requestor IP/STS Security Realm Discovery

Because the user has not yet been authenticated, the relying party might not know where to send a wsignin1.0 request message. The relying party MUST obtain the security realm identifier for the requestor IP/STS that issues security tokens for the user. When the relying party is factored into WS resource and resource IP/STS components, the WS resource relies on the resource IP/STS to discover the correct federation partner. The resource IP/STS MAY discover the security realm of the federation partner by interacting with the user via the user's web browser requestor. Or the information MAY be obtained or derived from a parameter (such as whr, domain_hint, login_hint, or username, specified in section 2.2.3) that was included on the original request to WS resource.<53>

The resource IP/STS MUST use the security realm identifier to look up the correct federation partner record in configuration data and obtain the requestor IP/STS URL for protocol messages. Once obtained, the security realm identifier MAY<54> be preserved for subsequent sessions by writing an HTTP persistent cookie (for more information, see [RFC2965]) to the web browser requestor.