Shibboleth Developers

["Scott Cantor" <>]

> Yes, I was talking about SAML V2.0 persistent name ID. That needs to
> be redundantly asserted as an attribute for consent to work, right?

Depends how the NameID selection process is related to consent, I suppose.
But I don't really see that concept as something that works well with
consent or can be explained effectively to users.

> I'm not sure what you mean. This is a real requirement articulated
> clearly by Federation SPs (well, at least one Federation SP :)

By some SPs.
 
> I don't think that helps much. A specific example is ePTID vs EPPN. If
> an institution does not reassign EPPNs, the SP probably wouldn't care
> which it receives. How does the SP communicate that to the IdP (short
> of defining a new, abstract attribute)?

By not worrying about it too much, asking for either/or and living with the
result. If you need persistence, you can't use EPPN, seems to me, without
additional machinery. Pragmatically, most sites will give up persistence in
favor of usability, and I don't see the number of sites willing to support
anything but EPPN growing very much.
 
-- Scott