InCommon Technical Discussions

[Scott Koranda <>]

Hi,

> Are there any other SP operators on the list who are detecting these
> ePTID changes?

The VOs I have been working with have so far relied on ePPN and not
ePTID or any other targeted identifiers. The primary reason is the need
to "see" the same user at multiple SPs operated by the VO.

Somewhat ironically this is changing now as the VOs are preparing to
deploy IdP/SP proxies in production and present a single SP to the
federation(s). The reason is for better interoperability because of IdPs
that will only send targeted identifiers.

The plan to mitigate this issue of IdPs changing persistent identifiers
is to use a tool to track what identifiers an IdP sends (we are using
COmanage Registry) for a user and then use it to look up VO-centric
attributes in an attribute store managed solely by the VO to send to the
SPs. If an IdP changes an identifier like ePTID for a user we will
simply ask the user to go through another enrollment process and link
the new "identity" to the existing VO identity and resume access to the
SPs. The SPs are insulated from any change.

We will plan to notify the IdP operator of the issue, but often the IdPs
that present this issue also have incorrect contact information in
metadata and/or do not respond on a timescale useful to the VO, so it is
better from the VO perspective to just use the normal vetting process to
process the "new" enrollment and get the user back to accessing the SPs.

Thanks,

Scott K