...
The most difficult mapping is ePTID
. The goal is to assert a value of ePTID
that persists with or without the gateway in the middle.
Recall that ePTID
is a triple: (IdP entityID
, SP entityID
, persistent opaque blob)
All three components must persist regardless of whether or not the gateway is functioning as an intermediary. For the Google OpenID Gateway, we can do this as follows.
Let’s assume that the entityID
of the Google IdP is:
https://www.google.com/accounts/o8/id
and the entityID of the end SP is:
https://fm.incommon.org/sp
(The latter is in fact the entityID
of the Federation Manager.) Then the ePTID
computed and asserted by the gateway is given by the triple:
IdP entityID
: https://www.google.com/accounts/o8/id
SP entityID: https://fm.incommon.org/sp
User ID: persistent_opaque_value
This remains true even if the Google OpenID Gateway goes away.