> I think (someone will correct me if I'm wrong) that you can't use the SID
> as the EPTI because the
> Federation rules oblige you to return a different EPTI value to each SP.
Nigel,
you are indeed wrong. The Shib software take that into account. What the
PersistentIDAttributeDefinition does is in fact take a triple
- what you give it
- The salt you give it
- The entityID of the requestion SP
And mungs them into some funky hash. It then throws it at the SP.
This is why Resolvertest won't issue a EPTID unless you give it an SP
entiyID
/Rod
|