Print

Print


On 21/02/2014 12:44, Peter Schober wrote:
[...]
> If you:
> - don't want to support revoking/giving out new ePTIds to users, *and*
> - have stable identifiers for all your subjects that will never, ever
>    change, *and*
> - know neither your IDP nor any SP will ever change their entityID
> then you can get by without storing them.

The IdP's entity ID is not used in the generation of the ePTID/pID hash 
value; I've verified this many times supporting federation members. The 
SP entity ID, the SALT and the source attribute are the variables that 
matter.

But the IdP's entity ID *is* used in the internal representation for the 
pID that SP's are supposed to use: SP entity ID!IdP entity ID!hash 
value. So I don't see that maintaining hash values in a storedID 
database can proof you against entity ID changes, because if either the 
IdP or SP entity ID changes then that internal representation changes too.

Cheers,

Sara
-- 
Sara Hopkins
Support Team
UK Access Management Federation for Education and Research
web:    http://www.ukfederation.org.uk/

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.