An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

* Nick Roy <nroy AT internet2.edu> [2017-10-11 22:09]:
> Isn't persistent nameID a hashed triple of user ID, issuer entityID and
> audience entityID?

The SAML spec doesn't mandate you implement the user-specific part
that way (the other 2 parts are either implied/defaulted or included
as NameQualifier and SPNameQUalifier explicitly), but I don't see how
that's material, esp not for the conclusion you seem to be drawing
below from the way the opaque, service-specific pseudonym is being
generated.

> If so, by definition all implementations have to be able to support
> automatic generation.  It's not limited to Shibboleth.

If X is implemented by method M every SAML implementation has to be
able to support X? "By definition"?
I have no idea how the support for generating SAML spec-conformant
persistent NameIDs is across IDP implementations or whether all IDP
implememtations have full scripting support to make up for missing
features -- and this all seems quite a bit academic to me[1] -- but I
cannot follow the logic/argument here. (Not that this matters, of
course.)

-peter

[1] Note that much of thread is unreadable to me using a Mail User
    Agent that's not a web browser ("large green bold font"? nope.)
    so I have not made the effort of trying to untangle that mess of
    quoting and HTML-only "semantics".