Shibboleth Developers

["Scott Cantor" <>]

> > Yes - and that means the SPprovidedID should NOT be used if the IdP 
> > wants to offer Subjects the ability to change ePTIDs.
> 
> Not really. If you change the ID itself with the express purpose of
> deletion, you can pretty much treat the other value as gone too.

I should follow up this whole thread of thinking up by pointing out that if
the goal is really to terminate the relationship with the SP, the means to
do that is to de-federate, terminating the use of an identifier at the SP.
That's a lot nicer from an ettiquette standpoint than just rolling the value
over without telling the SP.

Even if the goal is to start a new relationship, I think SPs would hope that
they'd be told when to clean up the current state, and that's what
defederation does.

-- Scott