PersistentNameIDGenerationConfiguration - Can the identifiers be computed outside of Shibboleth IdPv3?

[Rainer Hoerbe]

>> In principle it should be possible to encrypt userid + sp-entityid with AES instead of a hash and thus be be both computed and reversible.
> 
> It is, but at the time this was done, the IdP didn't have an AES key or any code designed for that and everything since then has been done to maintain compatibility with the hashing approach that was used. Whether it was good, bad, or indifferent wasn't a factor.
> 
> Also, reversibility isn't really the main limitation (you don't need to reverse them, generally), the ability to revoke or change them is, and that still isn't possible with a computed approach or at best a hybrid that still involves state.

Agreed, but once targeted emails are used to reduce the angst of attribute release, cheap reversibility would be a good thing.

- Rainer