On 21/02/2014 12:44, Peter Schober wrote:
[...]
> If you:
> - don't want to support revoking/giving out new ePTIds to users, *and*
> - have stable identifiers for all your subjects that will never, ever
> change, *and*
> - know neither your IDP nor any SP will ever change their entityID
> then you can get by without storing them.
The IdP's entity ID is not used in the generation of the ePTID/pID hash
value; I've verified this many times supporting federation members. The
SP entity ID, the SALT and the source attribute are the variables that
matter.
But the IdP's entity ID *is* used in the internal representation for the
pID that SP's are supposed to use: SP entity ID!IdP entity ID!hash
value. So I don't see that maintaining hash values in a storedID
database can proof you against entity ID changes, because if either the
IdP or SP entity ID changes then that internal representation changes too.
Cheers,
Sara
--
Sara Hopkins
Support Team
UK Access Management Federation for Education and Research
web: http://www.ukfederation.org.uk/
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
|