Skip to main content

Problem with EPTID

Is there a problem when an Identity Provider only releases EPTID (instead of EPPN)?

Yes, in case of trust delegation:

In the red scenario, the user uses the web application without any delegation whatsoever, using the authenticating against the , which releases an EPTID 'efgh456' so he becomes known to A by that id.

In the green scenario, the user accesses the resource directly. Again he uses the IdP for authentication but this time becomes known to service provider B by id 'ijkl789' since the IdP releases a different EPTID for each SP.

In the blue scenario, the user uses the web application in SP A and wishes to use a resource from SP B through delegation. The application redirects him to the Authentication Server (AS) in SP C, which contacts the user's IdP which releases an EPTID 'abcd123', which then gets associated with the newly created token in the AS.

The token is retrieved by the web application, then passed to the resource provider. The resource provider checks the token with the AS and learns that the associated identity is 'abcd1234'. However since the access rights on the user's resources are associated with e.g. identity 'ijkl789' (by which the user was known when he uploaded the resource for example), they do not become available to the web application as there is no way to map the available identity to this specific user.