Subject: Re: [security-services] SAML deployments that use consent step?
Josh: I said: If we're going to allow SPs to be used that aren't clearly part of a business need (or where we don't want to go to the trouble of figuring out whether they are), then we need to get user agreement before personal info (and that might include even an opaque persistent identifier) can be sent. You (quoting the Terena report) said: > "Consent should only be used, if at all, for services that are not > necessary, or to provide optional information to services that are > necessary." which I think are consistent technically, but differ in emphasis. I'm contending that those non-necessary SPs and optional info for necessary SPs are important to support, hence motivate consent-obtaining infra at the IdP, while you (for some value of you) are, as far as I can tell, implying (by "if at all") that those cases are not important to support, that in fact effort to support them at IdPs might do more harm than good. (Now that I read Conor's note, let me clarify that by "consent" I'm not referring to consent labels in SAML messages, but services at the IdP that obtain user consent before releasing info. I hope you're talking about the latter notion too, not the former.) It seems to me that if an IdP follows your advice and does not deploy any consent mechanism, that those non-necessary cases are simply not supported, correct? Meaning that those SPs will, typically, acquire this data (or these users) in some other fashion, e.g. avoiding federation, it seems to me. My comment about disagreement was referring to the Swiss federation, which apparently thought that IdP-managed consent was important enough to develop software to do so and to deploy it (I think) universally in their federation. I don't know whether their deployment makes the distinction between necessary/optional that we both recognize. > There's some on-going work in the European HE federations community > looking at expressing RPs' attribute requirements in SAML metadata, in > concert with assertions from TTPs attesting to the 'necessity' of these > attributes, that a user could subsequently consent to. However, it's not > clear yet if this could be made to work practically. In the InCommon federation we are, not surprisingly, talking seriously about very similar representations, though so far the notion of "necessity" hasn't been central. - RL "Bob"