Shibboleth Developers

["Linden Mikael" <>]

Hi!

In Europe the Data Protection Directive requires that
an end user must be able to read the Privacy Policy of
the Service before he gives his permission ('informed 
consent') for Attribute release. As far as I 
understand the concept of Privacy Policy is widely 
used in the US as well.

In our Finnish Haka federation we are going to tackle
this issue by asking each Service Provider to put 
its Privacy Policy somewhere on the web. We collect
the URL as a part of the Haka federation metadata
and maintain a simple ProviderID-to-URL mapping table. 

We have implemented a simple service that takes 
the ProviderID of the Service Provider as a HTTP GET 
parameter, and redirects the browser the URL of the
corresponding entry in the mapping table. The 
origin administrators are adviced to make this link
available to the end user after authenticating her 
but before the control is given back to the
Shibboleth origin after authentication.

You can try our service by clicking the link (sorry,
this one is just in Finnish):
https://haka.funet.fi/cgi-bin/privacypolicy?providerID=https%3A%2F%2Fkoukku.f
unet.fi%2Fcgi-bin%2Fnelli

However, if the URLs of the Privacy Policies were 
distributed as part of the Shibboleth metadata 
(say, as an optional element in the DestinationSite 
element in sites.xml), our centralized server would 
be unnecessary, removing the single point of failure. 

Would it be possible to add this feature to Shibboleth
distribution? As far as I understand, it only requires
a new optional element to the XML schema of sites.xml.
Then the origin administrators could use the element
in sites.xml instead of our centralized server.

Cheers,

Mikael Linden
the Finnish Haka federation

--
Mikael Linden, CSC the Finnish IT Center for Science