If we can't guarantee username is unique for a given IdP, that means audit trail and non-repudiation is likely broken as well. Though at the SP side, an IdP is effectively map into a domain as domain own the user group.
A good side-effect from the above change would give us the ability to setup a single mapping for multiple domains. :)
If we can't guarantee username is unique for a given IdP, that means audit trail and non-repudiation is likely broken as well. Though at the SP side, an IdP is effectively map into a domain as domain own the user group.
A good side-effect from the above change would give us the ability to setup a single mapping for multiple domains. :)