On 21/02/2014 12:44, Peter Schober wrote:
> If you:
> - don't want to support revoking/giving out new ePTIds to users, *and*
> - have stable identifiers for all your subjects that will never, ever
> change, *and*
> - know neither your IDP nor any SP will ever change their entityID
> then you can get by without storing them.
The IdP's entity ID is not used in the generation of the ePTID/pID hash
value; I've verified this many times supporting federation members. The
SP entity ID, the SALT and the source attribute are the variables that
But the IdP's entity ID *is* used in the internal representation for the
pID that SP's are supposed to use: SP entity ID!IdP entity ID!hash
value. So I don't see that maintaining hash values in a storedID
database can proof you against entity ID changes, because if either the
IdP or SP entity ID changes then that internal representation changes too.
UK Access Management Federation for Education and Research
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.