Limiting persistentId resolving
Cantor, Scott
cantor.2 at osu.edu
Thu Aug 8 13:57:35 EDT 2019
There's nothing of any value in AttributeConsumingService the majority of the time, so you're probably wasting your time trying to drive policy of of it unless you just don't care about failures or your metadata is extremely unusual. I guess it's possible you're operating in an unusual community of practice where my experiences don't apply.
But it is simply not true that "every relying party can't use your IdP" if the database is down, that's a decision you get to make. Controlling activation is fine, but when there's nothing reliable to base that decision on, you're probably better off just fixing the failure mode with other settings and redundancies.
As always, avoiding the database is also choice #1. If the IDs are all "first generation" hashes that aren't random, then the best option is to dump it and move it to computed IDs.
-- Scott
More information about the users
mailing list