Hi, Today I finshed an OIDC/SAML broker based on Satosa that I needed to patch for [1] but also for not hashing the OIDC sub. It turned out the OIDC RP expected the sub to map to pre-provisioned users, known by their SAML ePPN. I even suspect it expected [2] but in absence of a configured claim in id_token resorted to using the available sub. The (hardcoded) fix is easy: just configure sub public and return value in internal_data.py UserIdHasher::hash_data. Would there be any interrest in a PR to make this an option in oidc frontend conf? Then, I have two outstanding questions for IdPy. One is a formal answer to the problem outlined in [1] and the second is [2]. We would really appreciate an answer to both questions. [1] https://lists.sunet.se/pipermail/idpy-discuss/2019-January/000339.html [2] https://lists.sunet.se/pipermail/idpy-discuss/2018-December/000329.html Best regards, Martin