Shibboleth Developers

[Jim Fox <>]

> > A casual reader of this might come to the conclusion that he, as
> > as IdP, CAN, at any time. change the ePTID sent to an SP for a user and
> > maybe he SHOULD inform the SP, but he doesn't HAVE TO.  And that
> > the notice of this change, if there is one, can come subsequent to the
> > change itself.  Is that correct?
>
> Yes, but these are certainly matters of policy, not technology. But without
> a reasonable way to inform SPs when they change, the usefulness as a
> recognition mechanism goes way down. I don't think it would be good behavior
> to effect the change until the SP is notified, if there's any notification
> happening at all.
>
> But the IdP is always in charge in the Liberty model, whatever SPs like to
> believe. This is why Amazon's not interested, unless they get to be the IdP.
>
> Since one of the reasons for making changes is to "wipe" the slate clean at
> an SP, it certainly isn't required in SAML that an SP know about it.

So, when Phil complained, jan 13,

   "I now want to move our origin to 1.2.1 (which BTW, rocks),
    but we'll kill all the TargetedIDs."

why your response,

   "The big nasty is when they go to 1.2,
    then that part of the seed changes and you're dead."

and not just, "who cares?"


And when Bob noted, july 5,

   "At least some of the customers (PSU and USC) are using
    targetedIds for the user ids they're sending to Napster,
    so are concerned about the stability of these across
    Shib IdP versions."

why the concern?  What stability when the idp can effect changes
at whim?


And in the definition, from the shib glossary,

   "Persistent Identifier (TargetedID): This special identifier
    type allows an IdP and SP to preserve a single identifier
    for one principal across all current and future transactions..."

am I to assume the words 'preserve' and 'future' mean only
what an advertiser might mean by them?


If there is no requirement on the persistence of ePTID then it
would appear to be nothing more than a nicety, providing the user
with a "pleasant browsing experience".  Maybe that's all it is
and I've been way too concerned about our maintenance of them.
Generation on the fly might be the best approach after all.

Jim