Andy Swiffin wrote: > Would it be possible to split the requirement rather than lumping > PrincipleName and targetedID together? The short answer is no, the Rules of Membership deliberately bundle various behavioural rules together so that service providers only really have two classes of IdP to deal with (section 6 compliant and "everyone else"). Your saying "yes, we do everything in section 6" is just a simple way for you to convey that bundle of guarantees via the federation rather than having to negotiate with each SP independently. If the bundle isn't appropriate, of course, there is nothing stopping you having a more detailed discussion with each SP you want to deal with. As (we hope) very few of them will need ePPN, that might be viable in some cases. Life is likely to be easier if you can sign up to section 6, though. [lots of good analysis snipped] > Of course this all assumes that PrincipalName is the users actual login > ID - does it have to be? Could it be like the targettedID, some > obfuscated version of the matric/staff code? I think my first observation would be that I'm surprised that frequent reuse of login IDs isn't causing you headaches elsewhere already. But your question here is the critical one, I think. The Technical Recommendations for Participants cover this (in 7.1.4). We are less absolute than eduPerson with regards to ePPN, because we realise there may be issues with reassignment of login names in some institutions . The eduPerson specification is clear that the expectation is that the eduPersonPrincipalName is the identifier used to authenticate the user. The main reason I can see for wanting this to be the case are to do with the user therefore being aware of the value, so that it can be used in out-of-band communications. For example, my ePPN is [log in to unmask] (same as my e-mail address) and I can phone someone up and say "my ePPN is [log in to unmask], please add me to that access control list". In practice, if you reassign login IDs and you wanted to sign up to having stable ePPN values, using some value other than the login ID would work just fine. You probably would want to think about how far you wanted to obfuscate it; if one of your students asks you what their ePPN is for reading over the phone to someone to put into an ACL, you don't want to have to deal with something like this: [log in to unmask] On the other hand, this might be acceptable: [log in to unmask] > Well, yes, but, as Jon pointed out earlier: > > "The Internet2 software only supports hashing on the fly. You can > presumably > extend it, given sufficient Java skill, to support only computing the > value once." > > I'm not sure I feel brave enough to start hacking round with the code > right at the outset.... The good news is that there are various people out there who have already put together systems that work with an external database in the way described. If one of them is listening, pitch in here please! The only reason such a facility hasn't been bundled into the standard IdP is that making it work "out of the box" would require the bundling of an SQL database with the IdP distribution... It does, however, seem like we should be pointing people at one or more standard database-backed implementations of ePTI if we can find some that are well enough documented. Oh, and as a by-the-way, I'd note that some more good news is that as of IdP 1.3.2, the IdP has apparently acquired a nice ability to do random attribute computation in "scriptlets". This might make it easier to put this kind of extension together in future. Documentation here: https://spaces.internet2.edu/display/SHIB/ScriptletAttributeDefinition -- Ian