Subject: RE: [security-services] SAML deployments that use consent step?
The consent flag came about when some members of the Public Policy EG within Liberty thought that it was useful to have a positive indicator from the RP that it had, in fact, gathered consent to the user before attempting the federation. I argued against that saying that the existence of the request was good enough proof that the RP believed it was acting under user consent. This was another one that I lost (amongst many). The basic model around an RP obtaining consent from the user is where the IdP has a relationship with the RP such that it trusts the RP to obtain consent from the user for a federation and/or SSO event before submitting the request. In such cases, allowing the RP to indicate that they have obtained consent can relieve the IdP from having to perform its own check with the user for consent to establish a new relationship with the RP. This level of relationship is usually based upon legally binding agreements that govern the behavior of the RP and, to some extent, treat the RP as an extension of the IdP for the purpose of obtaining consent. In other cases, where you don't have that level of trust of the RP, the IdP will perform its own consent checks with the user (or will operate under some other out-of-band mechanism re: consent -- this is typically what is understood in the business-to-employee environment where the employee is assumed to have already given consent to the employer to federate the users identity amongst the systems running the organization and individual consents from the user aren't necessary). Conor -----Original Message----- From: Josh Howlett [mailto:firstname.lastname@example.org] Sent: Monday, November 09, 2009 5:00 PM To: Scott Cantor Cc: Josh Howlett; 'Paul Madsen'; 'oasis sstc' Subject: Re: [security-services] SAML deployments that use consent step? On 9 Nov 2009, at 21:41, Scott Cantor wrote: > Josh Howlett wrote on 2009-11-09: >> While we're on the subject, I've always been a bit puzzled about the >> use-cases for the consent identifiers; in particular, why an RP might >> care whether consent has been given or not. > > They're for auditing, essentially. You get a signed document > indicating > something about consent so you can point the finger later. Ok. In the EU consent is irrelevant as far as an RP is concerned, as the IdP is liable by default when TSHTF. I can't think of a scenario where an RP would need to retrospectively demonstrate consent. > The more bizarre use case to me was always why an IdP would care about > consent You'll need to expand on that for me. When does an IdP receive a consent identifier? josh. --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php