* Sara Hopkins <[log in to unmask]> [2014-02-21 16:43]:
> But the IdP's entity ID *is* used in the internal representation for
> the pID that SP's are supposed to use: SP entity ID!IdP entity
> ID!hash value. So I don't see that maintaining hash values in a
> storedID database can proof you against entity ID changes, because
> if either the IdP or SP entity ID changes then that internal
> representation changes too.
The IDP's entityID is stored as well, I think (don't have an IDP at
hand atm):
https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverStoredIDDataConnector
This seems to allow the IDP to send the previously used NameQualifier,
resulting in the same complete NameID at the SP, even if the IDP's
entityID changed.
-peter
|