Shibboleth Developers

["RL 'Bob' Morgan" <>]

> There is an argument that the consent-based approach is neither 
> desirable nor necessary within an educational context.

Not really the right list for this, but to add to Scott's answer ...

Indeed under FERPA in the US many situations are "legitimate educational 
use" where "education record" information may be provided to recipients 
without requiring student consent, and without regard to the student's 
privacy preferences.  But many situations where federated authentication 
is of interest aren't "legitimate educational use", eg access to 
Microsoft's DreamSpark or more generally

https://spaces.internet2.edu/display/InCCollaborate/Enrollment+verification

or many collaborative scenarios, etc, etc.  If we restrict the use of 
university-IdP federation (for students) to only those services strictly 
needed for instruction I think we'll be missing lots of opportunities.

> (we also emphasise only releasing ePTID and ePSA, which are not affected 
> by this legislation, and so there should be very few instances where an 
> Institution actually needs to think about this).

In the US I don't think the situation regarding FERPA and ePTID and ePSA 
is clear, though in one case the UW registrar agreed to these being 
provided to a third-party, in a non-legitimate-use scenario, without 
requiring consent (where providing email address, which the vendor wanted, 
would have required consent).  But in any case it's the same story: 
restricting the identifiers available to only ePTID will make many 
collaboration scenarios difficult enough that RPs will give up on 
federation and fall back to plain old accounts.  That is, abandoning the 
capability of federated signon to provide useful data like name and email 
address eliminates much of the value of the scheme, for some apps at 
least.

We do have a ways to go to make consent generally available, but I don't 
think we have any choice but to get there, for students and everyone else.

 - RL "Bob"