Shibboleth Developers

["Spencer W. Thomas" <>]

Yes, that's another way.  And the transient ID is always present, 
whereas ePTID might not be.  Thanks for reminding me.

=S

Scott Cantor wrote:

> > In the case of Shibboleth authentication, the information that we could 
> > provide back might be the ePTID (assuming there is no other personal 
> > information in the original SAML assertion). We would expect that the 
> > institution would keep a reasonable history of user<->ePTID associations 
> > so that they can (internally) identify the transgressor.
> >    
>
> In fact, we already incorporated the ability to log transactionally who is
> assigned what transient identifier during authentication (what we called
> handles). We knew this was a basic requirement, privacy aside.
>
> So you can do it now without even using TID or having a history of them.
>
> Of course, a site can simply turn off this logging, or delete them, but
> that's up to policy, the same as this.
>
> -- Scott
>