Issue: !MyProxy-first or !IdP-first?

As depicted in the diagram below, a particular Shibboleth !IdP deployment controls both ends of the name mapping process:

In the MyProxy-first Non-Browser Profile, MyProxy is producing the NameIdentifier independent of the !IdP. Consequently we must assume (1) the !IdP can reverse the mapping of LocalPrincipal to NameIdentifier , and (2) the principal name so obtained is the same principal name known to !MyProxy. The IdP-first Non-Browser Profile guarantees both of these assumptions are true.