Subject: Re: [security-services] SAML deployments that use consent step?
> Josh, can you expand on just what your IDPs are NOT asking consent > for? ie what operations/data flows. > Paul We only have partial visibility of our customers' interactions, as we rely on them to volunteer this information to us. You can view the attribute requirements of the RPs that /do/ choose to volunteer this information here: http://www.ukfederation.org.uk/content/Documents/AttributeUsage I don't wish to bore the list with the details of the EU data protection regime; suffice to say, we believe that consent is only infrequently a practical or efficient instrument for protecting user privacy. Indeed, it is often too easy for IdPs to misuse consent to the detriment of their users' privacy. While we're on the subject, I've always been a bit puzzled about the use-cases for the consent identifiers; in particular, why an RP might care whether consent has been given or not. josh.