On 21/02/2014 12:44, Peter Schober wrote: [...] > If you: > - don't want to support revoking/giving out new ePTIds to users, *and* > - have stable identifiers for all your subjects that will never, ever > change, *and* > - know neither your IDP nor any SP will ever change their entityID > then you can get by without storing them. The IdP's entity ID is not used in the generation of the ePTID/pID hash value; I've verified this many times supporting federation members. The SP entity ID, the SALT and the source attribute are the variables that matter. But the IdP's entity ID *is* used in the internal representation for the pID that SP's are supposed to use: SP entity ID!IdP entity ID!hash value. So I don't see that maintaining hash values in a storedID database can proof you against entity ID changes, because if either the IdP or SP entity ID changes then that internal representation changes too. Cheers, Sara -- Sara Hopkins Support Team UK Access Management Federation for Education and Research web: http://www.ukfederation.org.uk/ The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.