Shibboleth Developers

[Chad La Joie <>]

On 3/19/10 1:13 PM, Kristof BAJNOK wrote:
> Seriously, I can imagine some filtering rule that could check the uApprove 
> database and throw an exception if user consent is needed. The uApprove 
> could then process this, display the consent screen (or fail on back-
> channel) and redo the whole attribute resolution and filtering on success.

Consent is not filtering, so there won't be any filtering rules.

> Why I'm coming up with this is because our federation is undergoing a wide 
> privacy analysis. If I can't promise that the back-channel privacy thing 
> will be handled at some time, I'd be forced to remove the AA endpoints from 
> the metadata. Therefore progressing towards persistent nameids would be 
> pointless.

Persistent NameIDs has nothing to do with whether you do attribute
queries.  If your federation is moving in a direction where it will
*require* the user to consent to attribute releases then by definition
you can not do back-channel releases.

-- 
Chad La Joie
www.itumi.biz
trusted identities, delivered