Shibboleth Developers

[Bradley Beddoes <>]

The only decision the federation is making is if the set of attributes
the service is requesting is appropriate. This is determined by AAF
administrators reviewing SP registrations within our toolset and when
necessary having direct conversations with SP admins.

In several cases we've seen SP request every single attribute defined
as supported by the AAF but on further discussion really only require
a name and email address along with something like EPTID to operate
correctly. Naturally IdP are trusting that we're undertaking due
diligence in these reviews/approvals.

Once we've determined with the service the approved set of PII they
require to operate is this is reflected in generated filters. I'll
just highlight again there is no requirement for any IdP to use
automated filters and they can choose to go a manual path if desired.

With this system services are happy because they will get the set of
attributes required, end users are happy as they are only have to
review and consent to a small subset of attributes and IdP/AAF are
happy as the flow is adhering to AU privacy law.

Overall the important component of this discussion is that for us
having the ability to provide users with a description in the consent
UI of how the service will utilize each piece of the PII they are
going to release would be highly desirable.

cheers,
Bradley

On Wed, Apr 13, 2011 at 9:40 AM, Cantor, Scott E. 
<>
 wrote:
>>Filters themselves provide a level of automation but no IdP is required
>>to utilize them. Many folk of course do, others download with cron and do
>>manual local updates very few still manually manage policies themselves.
>
> I guess maybe this is one of those constant disconnects here in the US,
> but the idea of devolving that decision making to anybody other than maybe
> the user (via consent) is definitely foreign to me. I just can't imagine
> that ever being a federation decision, and isn't that what automating it
> (via cron or whatever) would be doing?
>
>>Regardless the requirement is the same, IdP within the AAF most only
>>disclose PII each service specifically requires.
>
> Right, but who decides whether it's appropriate to release *anything* to a
> particular service?
>
> -- Scott
>
>



-- 
Bradley Beddoes | Advanced Technical Development | Australian Access 
Federation
Mob: 0413768802 
| Email: | Web: http://www.aaf.edu.au/
Twitter: http://twitter.com/ausaccessfed Facebook:
http://facebook.com/ausaccessfed



PRIVILEGED – PRIVATE AND CONFIDENTIAL

This email and any files transmitted with it are intended solely for
the use of the addressee(s) and may contain information which is
confidential or privileged.  If you receive this email and you are not
the addressee(s) [or responsible for delivery of the email to the
addressee(s)], please disregard the contents of the email, delete the
email and notify the author immediately