> I thought Paul was asking whether you could use the SID as the actual > value. In that case you are absolutely right (of course).. > I think what your saying is that by using the entityID of the SP the > software effectively > ensures that each SP gets a different EPTID thus ensuring that the > Federations rules are followed. Nigel -----Original Message----- From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Rod Widdowson Sent: 06 May 2009 15:10 To: [log in to unmask] Subject: Re: Attribute Definitions and metadatatool > I think (someone will correct me if I'm wrong) that you can't use the SID > as the EPTI because the > Federation rules oblige you to return a different EPTI value to each SP. Nigel, you are indeed wrong. The Shib software take that into account. What the PersistentIDAttributeDefinition does is in fact take a triple - what you give it - The salt you give it - The entityID of the requestion SP And mungs them into some funky hash. It then throws it at the SP. This is why Resolvertest won't issue a EPTID unless you give it an SP entiyID /Rod