RE: [security-services] SAML deployments that use consent step?

["Scott Cantor" <cantor.2@osu.edu>]

Paul Madsen wrote on 2009-11-12:
> OAuth actually mandates consent, MUST not SHOULD

I can't see how talking about consent makes sense as a technical matter, and
it certainly doesn't provide a legal context for interpreting the term. But
that aside, just because it mandates "consent", I don't think that changes
the broader technical character of what's happening. It's not merely
handling "consent".

> Could this, given the interpretation of its relevance put forward by Josh,
> preclude wider deployment?

Dunno. Here in the privacy hinterland, I tend to see the rules change to
match whatever the latest hyped solution happens to support.

> The spec is crystal clear but I'm sure it could be 'interpreted'......

Well, SAML throws around statements like "the IdP MUST authenticate the
user", but nobody pretends that that's technically normative. It's all in
the policy.

-- Scott