Shibboleth Developers

["Scott Cantor" <>]

> A related question.  What if a user wished to not use a targeted ID and 
> always wanted to use a random handle (hopefully understanding that they 
> forgo things like maintained customizations between visits).  As a 
> service, would you support something like that along side of 
> ePTID support?

I certainly would. Today, it amounts to supporting per-user ARPs (so, yeah,
not having those is a problem). Tomorrow, it should mean controlling the use
of persistent NameIDs, and allowing SPs to indicate what they want, and
users to indicate what to allow. This shouldn't be hard, since I'm already
treating NameID formats very much like attributes in the SP, and I'd imagine
the IdP can too.

In Liberty terms, though, this is explicit in the federation process. If
that world, the user grants permission to the SP to federate him, and then
the IdP can confirm this with the user before granting the SP the value. Or
can give the user one of those "remember this decision for all SPs" things
that stops bugging him.

-- Scott