shibboleth-dev - Re: [Shib-Dev] [IdPv3] Consent Engine Work
Subject: Shibboleth Developers
List archive
- From: "Huneycutt, Karsten" <>
- To: "" <>
- Subject: Re: [Shib-Dev] [IdPv3] Consent Engine Work
- Date: Tue, 22 Jun 2010 13:53:21 -0400
- Accept-language: en-US
- Acceptlanguage: en-US
Hello --
Sitting in the uApprove session at CAMP, I remembered I had started this
draft but never actually sent it.... Here are just some random thoughts --
I'm not even sure any of these are good ideas, but I thought I'd throw them
out there...
On 09 Jun 2010, at 10:48 , Chad La Joie wrote:
> - Ability to disable the engine for some or all SPs. By default it will
> be enabled for all SPs.
How about disabling the engine for entity groups (like attribute filter
policies)? This will allow us to group approved business applications (the
campus portal, the ERP system, etc) under an entity group -- which may or may
not be a good thing.
Does it make any sense to whitelist attribute-value pairs per SP, so that an
SP can know that someone has, say, ePA set to "member", but the user must
consent to releasing the "student" value? I'm not sure how widely that would
be used.
> - Ability to require user consent for every login or to only ask again
> when the data (attribute values) to be sent to the SP changes.
Can this be set per-SP, with some timeout (every six months for SP x, every
year for SP y)? Or, perhaps, per-user, so that if a user has heightened
privacy settings, we can trigger asking for consent on every login? If you
want to get even more granular, make the requirement for consent be
calculated based on the value of another attribute or a script -- SP x is
asking for your phone number, which you've marked as private, and for your
name, which is public -- you must consent to the release of your phone number
each time, but not necessarily your name unless it's changed.
"only ask again when the data to be sent to the SP changes" implies that this
will keep a shadow copy of the user's attributes. If that will be the case,
that seems inefficient, and many of us already have systems that can
notify/take action when an attribute value changes. Can we have a way to
let that decision be made by that system and NOT keep a shadow copy on the
IdP consent engine?
KH
--
Karsten Huneycutt
ITS Identity Management, UNC Chapel Hill
- RE: [Shib-Dev] [IdPv3] Consent Engine Work, (continued)
- RE: [Shib-Dev] [IdPv3] Consent Engine Work, Scott Cantor, 06/10/2010
- Re: [Shib-Dev] [IdPv3] Consent Engine Work, Chad La Joie, 06/10/2010
- Re: [Shib-Dev] [IdPv3] Consent Engine Work, Christopher Bongaarts, 06/10/2010
- Re: [Shib-Dev] [IdPv3] Consent Engine Work, Jim Fox, 06/10/2010
- RE: [Shib-Dev] [IdPv3] Consent Engine Work, Scott Cantor, 06/10/2010
- Re: [Shib-Dev] [IdPv3] Consent Engine Work, Michael A. Grady, 06/10/2010
- RE: [Shib-Dev] [IdPv3] Consent Engine Work, Scott Cantor, 06/10/2010
- RE: [Shib-Dev] [IdPv3] Consent Engine Work, Bruc Liong, 06/11/2010
- Re: [Shib-Dev] [IdPv3] Consent Engine Work, Scott Cantor, 06/11/2010
- Re: [Shib-Dev] [IdPv3] Consent Engine Work, Jim Fox, 06/11/2010
- Re: [Shib-Dev] [IdPv3] Consent Engine Work, Scott Cantor, 06/11/2010
- RE: [Shib-Dev] [IdPv3] Consent Engine Work, Bruc Liong, 06/11/2010
- RE: [Shib-Dev] [IdPv3] Consent Engine Work, Scott Cantor, 06/10/2010
- Re: [Shib-Dev] [IdPv3] Consent Engine Work, Michael A. Grady, 06/10/2010
- RE: [Shib-Dev] [IdPv3] Consent Engine Work, Scott Cantor, 06/10/2010
- Re: [Shib-Dev] [IdPv3] Consent Engine Work, Huneycutt, Karsten, 06/22/2010
- Re: [Shib-Dev] [IdPv3] Consent Engine Work, Peter Schober, 06/22/2010
- Re: [Shib-Dev] [IdPv3] Consent Engine Work, Chad La Joie, 06/23/2010
- RE: [Shib-Dev] [IdPv3] Consent Engine Work, Scott Cantor, 06/10/2010
Archive powered by MHonArc 2.6.16.