Carl Vincent wrote:
> The Technical Recommendations suggest storing the id of users using a
> triple made up of:
> 1) entity id of IdP
> 2) entity id of SP
> 3) local part of TargetedId
Just to clarify, the Technical Recommendations are actually suggesting
transforming "old style" scoped targetedID values into that triple
before *processing* it, for forwards compatibility with more recent
standards. The Recommendation isn't necessarily that the whole triple
be *stored*: as Fiona points out, for any normal application the SP ID
will be the same for all values, so it may be worth stripping those out
depending on how much the extra 40-or-whatever characters will cost you
(our longest entity name at present is 69 characters, but the formal
limit is much longer).
This may be particularly useful if you have a constraint (as most people
do) on the total length of the identifier you store. Another approach
in that case would be to hash the triple down to something shorter for
storage.
> Alternatively are people not following this suggestion and simply
> storing the scoped targeted id?
I'm sure a lot of people are doing this, in practice. The big downside
of that approach is that when things start to move to SAML 2, it may be
very hard to preserve targetedIDs across the transition.
(Balanced against that, the "just store the scoped value" approach is a
little more robust if the IdP's entity ID changes; but that's not an
intended advantage.)
-- Ian
|