Shibboleth Developers

[Scott Cantor <>]

> Therefore, if you want a VO to "borrow" a persistent identifier for 
> members of a Grid community, you have to use the EPPN known to the 
> member's HO.  The Grid applications can map that EPPN to a Grid 
> identity.  Better yet - the Grid member can be known by their HO EPPN 
> from the git go.  I see no motivation at all to ask every Home Org to 
> store additional identifiers for use in other domains.

Well, the obvious reason is the one Liberty has, namely to allow the VO to
function with some relationship to its users independent of their HO or of
the user changes HO's. That requires a persistent identifier owned/managed
by the VO, and Liberty (and SAML) aim to link the two.

In Liberty's case, it's a business (I guess a CRM) justification to not let
the HO "own" the relationship with the "customer". Obviously that driver may
not apply here.

-- Scott