...
The most difficult mapping is ePTID. The goal is to assert a value of ePTID that persists with or without the gateway in the middle.
Recall that ePTID is a triple: (IdP entityID, SP entityID, persistent opaque blob)
All three components must persist regardless of whether or not the gateway is functioning as an intermediary. For the Google OpenID Gateway, we can do this as follows.
Let’s assume that the entityID of the Google IdP is:
https://www.google.com/accounts/o8/id
and the entityID of the end SP is:
https://fm.incommon.org/sp
(The latter is in fact the entityID of the Federation Manager.) Then the ePTID computed and asserted by the gateway is given by the triple:
IdP entityID: https://www.google.com/accounts/o8/id
SP entityID: https://fm.incommon.org/sp
User ID: persistent_opaque_value
This remains true even if the Google OpenID Gateway goes away.