Subject: Re: [security-services] SAML deployments that use consent step?
Bob, > which I think are consistent technically, but differ in emphasis. I think that's fair. > I'm contending that those non-necessary SPs and optional info for > necessary SPs are important to support, hence motivate consent- > obtaining infra at the IdP, while you (for some value of you) are, > as far as I can tell, implying (by "if at all") that those cases are > not important to support, that in fact effort to support them at > IdPs might do more harm than good. There is no contention that these are not important to support. The contention is that it is not lawful to support these cases using the particular mechanism of consent in the circumstances we're discussing. > It seems to me that if an IdP follows your advice and does not > deploy any consent mechanism, that those non-necessary cases are > simply not supported, correct? Meaning that those SPs will, > typically, acquire this data (or these users) in some other fashion, > e.g. avoiding federation, it seems to me. Yes, that's the conclusion. It is sometimes frustrating, of course, not to make fuller use of federation but that's life. In these circumstances our general recommendation to IdPs is to release non- PII, such as as an opaque identifier, which goes some way to addressing these cases. If the RP needs more, it can obtain it directly from the user and link this data against the identifier (if provided). In the UK federation, a significant part of our constituency (and much larger than our HE users) is not even legally able to provide consent (in the UK, a person can only provide consent over 12 years). Protecting vulnerable users (4-11 years, users with learning difficulties, etc) is a critical concern, of course, and in these circumstances parents or their equivalents are the only parties who are authorised to provide consent. There is certainly a place for consent, but it needs to be used judiciously. It is certainly not (in the EU context, at least) the silver bullet or "best practice" that proponents of "user centric" approaches sometimes suggest. I have to spend a lot of time explaining this to our customers, which partly explains my irritation at those who misrepresent this complex problem to progress their own agenda. > My comment about disagreement was referring to the Swiss federation... As I understand it, the Swiss data protection law follows the principles of the EU directive, but is not an implementation of it because Switzerland is not an EU member state. It is possible that this is an instance where Swiss and EU law differs materially. > In the InCommon federation we are, not surprisingly, talking > seriously about very similar representations, though so far the > notion of "necessity" hasn't been central. What's the representation that you've got in mind? (It might be useful to standardise a common representation, particularly in the context of interfederation.) josh.