Hello @Mobarak Hosen.Shakil!
Thanks for getting back to me. Can you explain the threat model here? What is the threat this is protecting against? If the secret is the thing that is not guessable, what additional protection comes with the attacker not knowing the entity ID?
Are there any documents you can point me to? Is this something only Gluu does or is it a defacto standard? I think Keycloak for example lets you choose the entity ID. Is this a risky practice and if so, why?
If the there is no imminent risk by being able to choose the entity ID this would help us greatly in preconfiguring systems before they get onboarded to Gluu.