RE: [security-services] SAML deployments that use consent step?

["Scott Cantor" <cantor.2@osu.edu>]

RL 'Bob' Morgan wrote on 2009-11-09:
> Since I'm pretty sure you agree with this, Scott, you must be talking
> about some other aspect of IdPs and consent.

I'm just saying that I think it's up to the IdP to obtain and manage that
consent.

I know we've talked about cases where farming it out to the SP makes sense,
but I don't really like the idea of getting users used to that model. And of
course it requires signed requests if you're going to audit based on a
consent bit in the request.

And it wasn't really, to my mind, what the attribute was thought to be for
when it was conceived. Recall that it came from Liberty, and that attribute
sharing in Liberty was a separate notion, not necessarily integrated with
SSO. So the consent in a request was usually thought to be about federating,
not consent to the release of other data in the response.

The act of federation to my mind is entirely about the release of a piece of
data, it's rarely the only or the most critical piece of data involved, and
it occurs every time, not just at some imagined point of "identifier
creation". In other words, I'm probably injecting my dislike of AllowCreate
into a discussion of an only partly-related feature.

> I have heard these arguments but don't understand them, nor,
> apparently, do other European HE federations agree.  Assuming that IdPs
> are inherently hostile to user privacy seems an odd starting point.  But
> we digress, I suppose.

I guess the idea is that if you get people used to giving consent, it
becomes easy to punt on restraining what SPs will ask for and just make it
the user's problem.

-- Scott