RE: [security-services] SAML deployments that use consent step?

["Cahill, Conor P" <conor.p.cahill@intel.com>]

The consent flag came about when some members of the Public Policy EG within
Liberty thought that it was useful to have a positive indicator from the 
RP that it had, in fact, gathered consent to the user before attempting the
federation.  I argued against that saying that the existence of the request
was good enough proof that the RP believed it was acting under user consent.
This was another one that I lost (amongst many).

The basic model around an RP obtaining consent from the user is where the
IdP has a relationship with the RP such that it trusts the RP to obtain 
consent from the user for a federation and/or SSO event before submitting
the request.  In such cases, allowing the RP to indicate that they have
obtained consent can relieve the IdP from having to perform its own check
with the user for consent to establish a new relationship with the RP.

This level of relationship is usually based upon legally binding agreements
that govern the behavior of the RP and, to some extent, treat the RP as an
extension of the IdP for the purpose of obtaining consent.

In other cases, where you don't have that level of trust of the RP, the 
IdP will perform its own consent checks with the user (or will operate under
some other out-of-band mechanism re: consent -- this is typically what is
understood in the business-to-employee environment where the employee is 
assumed to have already given consent to the employer to federate the users
identity amongst the systems running the organization and individual 
consents from the user aren't necessary).

Conor

-----Original Message-----
From: Josh Howlett [mailto:josh.howlett@gmail.com] 
Sent: Monday, November 09, 2009 5:00 PM
To: Scott Cantor
Cc: Josh Howlett; 'Paul Madsen'; 'oasis sstc'
Subject: Re: [security-services] SAML deployments that use consent step?

On 9 Nov 2009, at 21:41, Scott Cantor wrote:
> Josh Howlett wrote on 2009-11-09:
>> While we're on the subject, I've always been a bit puzzled about the
>> use-cases for the consent identifiers; in particular, why an RP might
>> care whether consent has been given or not.
>
> They're for auditing, essentially. You get a signed document  
> indicating
> something about consent so you can point the finger later.

Ok. In the EU consent is irrelevant as far as an RP is concerned, as  
the IdP is liable by default when TSHTF. I can't think of a scenario  
where an RP would need to retrospectively demonstrate consent.

> The more bizarre use case to me was always why an IdP would care about
> consent

You'll need to expand on that for me. When does an IdP receive a  
consent identifier?

josh.

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php