Allow discovery server

[egabancho]

For the SSO scenario at the UHH, we need to provide a way for users of different academic institutions to login to the repository. In our case, we want to allow all institutions that are part of eduGAIN to login to our repository.

To achieve this, we need to allow users to select their institution from a list of institutions that are part of eduGAIN through a discovery service (probably this).
Invenio-SAML builds upon the python3saml library, which does not provide a discovery service functionality [1]. However, pysaml2 does provide DS functionality [2].
The question is whether we can extend Invenio-SAML to provide a DS functionality and how (and how widespread that demand actually is).

[1] SAML-Toolkits/python3-saml#405
[2] https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/client_base.py#L972

[max-moser]

At TU Wien, we allow login via eduGAIN via a (historically grown) authentication pipeline which is based on Keycloak[1], SATOSA[2] and our own custom (Python-based) discovery service[3].

[1] https://www.keycloak.org/
[2] https://github.com/IdentityPython/SATOSA/ & https://gitlab.tuwien.ac.at/fairdata/crdm-satosa-setup
[3] https://gitlab.tuwien.ac.at/fairdata/crdm-disco-service