Shibboleth Developers

["Scott Cantor" <>]

> A casual reader of this might come to the conclusion that he, as
> as IdP, CAN, at any time. change the ePTID sent to an SP for a user and
> maybe he SHOULD inform the SP, but he doesn't HAVE TO.  And that
> the notice of this change, if there is one, can come subsequent to the
> change itself.  Is that correct?

Yes, but these are certainly matters of policy, not technology. But without
a reasonable way to inform SPs when they change, the usefulness as a
recognition mechanism goes way down. I don't think it would be good behavior
to effect the change until the SP is notified, if there's any notification
happening at all.

But the IdP is always in charge in the Liberty model, whatever SPs like to
believe. This is why Amazon's not interested, unless they get to be the IdP.

Since one of the reasons for making changes is to "wipe" the slate clean at
an SP, it certainly isn't required in SAML that an SP know about it.

-- Scott