Shibboleth Developers

[Peter Schober <>]

* Scott Cantor 
<>
 [2010-06-03 17:34]:
> This is the thing Microsoft claims to have done a lot of user research on
> for Cardspace and concluded it's a bad idea. One reason I think is that
> users can't get clear indications about what the implications are of
> blocking the data.

In the Jananese implementation I found it to be quite clear, with
those attributes that would lead to a loss of access to the service
(which are therefore marked mandatory in the SP's metadata) being as
they are in uApprove today (i.e., cannot be opted out individually,
only by denying the transmission as a whole). Only those that are
truly optional (i.e., the SP can either operate without those or will
e.g. ask the user in the application) can be handled individually.

This also aligns well with the EU data protection directive (about
which many could care less, but also many will have to take into
consideration) which has some text to the effect that withheld consent
should not lead to the complete loss of service, rather things should
degrade gracefully, so to speak.

> Personally, I favor a "service level" model where the SP just
> identifies the kinds of packages of attributes they need to do
> certain things and if they can live with less, they can describe
> services that don't require as much data. That way the user gets a
> choice, but potentially understands what the result will be.

I'm not sure I understand that, but asking for more detail may be 
taking the current thread too far.
But if UI/UX experts (though M$ not exactly has a great reputation in
that regard) have discarded that approach and there are alternatives,
I'd certainly like to know more about those.
-peter