Subject: RE: [security-services] SAML deployments that use consent step?
RL 'Bob' Morgan wrote on 2009-11-09: > Since I'm pretty sure you agree with this, Scott, you must be talking > about some other aspect of IdPs and consent. I'm just saying that I think it's up to the IdP to obtain and manage that consent. I know we've talked about cases where farming it out to the SP makes sense, but I don't really like the idea of getting users used to that model. And of course it requires signed requests if you're going to audit based on a consent bit in the request. And it wasn't really, to my mind, what the attribute was thought to be for when it was conceived. Recall that it came from Liberty, and that attribute sharing in Liberty was a separate notion, not necessarily integrated with SSO. So the consent in a request was usually thought to be about federating, not consent to the release of other data in the response. The act of federation to my mind is entirely about the release of a piece of data, it's rarely the only or the most critical piece of data involved, and it occurs every time, not just at some imagined point of "identifier creation". In other words, I'm probably injecting my dislike of AllowCreate into a discussion of an only partly-related feature. > I have heard these arguments but don't understand them, nor, > apparently, do other European HE federations agree. Assuming that IdPs > are inherently hostile to user privacy seems an odd starting point. But > we digress, I suppose. I guess the idea is that if you get people used to giving consent, it becomes easy to punt on restraining what SPs will ask for and just make it the user's problem. -- Scott