It's fine as long as the identity URL refers to the OP during discovery.
OP is not supposed to have any control over user's identity. It only confirms relationships between the user in front of the computer and identity url to the best of its knowledge.