computedID in idpv3

Tom Scavo trscavo at gmail.com
Mon Feb 15 08:19:13 EST 2016


On Sun, Feb 14, 2016 at 3:44 PM, Paul B. Henson <henson at cpp.edu> wrote:
> On Sat, Feb 13, 2016 at 05:42:15PM -0500, Tom Scavo wrote:
>
>> The second issue is more interesting. Does your IdP support SAML2
>> only? If so, that's a no-brainer since you don't need ePTID. All your
>> needs are satisfied by SAML2 Persistent NameID.
>
> We are SAML2 only, one of the bright sides of our painful domain name
> change last year was I took the opportunity to deploy our new idp
> without SAML1.

Then you are in luck :-)

> I'm not sure I understand you though; I still have
> eduPersonTargetedID in my attribute resolver config and my attribute filter
> config, it still shows up in my idp-audit log, and I have SP's that are
> consuming it. At least they say they're using it. So while my needs
> might be satisfied by the SAML2 Persistent NameID if I have SP's that
> are still using the eduPersonTargetedID I don't see how I could just get
> rid of it?

That's true in any case so it boils down to the will to do it on your
part. Let me give two more reasons to try: 1) the saml2int deployment
spec says so, and 2) the rest of the world follows the saml2int spec
fairly closely. So if you are exporting your IdP metadata to eduGAIN
(which I think you are), you have more incentive to take the plunge
:-)

Cheers,

Tom


More information about the users mailing list