preventing attribute release for a class of users

Steven Carmody Steven_Carmody at brown.edu
Thu Sep 15 16:06:25 BST 2011


On 9/15/11 10:47 AM, Cantor, Scott wrote:

>
> The login module I added to the contributions page has a set of functions
> for doing that, and I believe other IdPs have done it. I know Brendan at
> USC argues for that model a lot, so I imagine they probably have something
> in place for that.
>

I believe that this session at the upcoming I2 Fall Member Meeting will 
talk about an implementation of this functionality in Shib IDP 2.3.x

http://events.internet2.edu/2011/fall-mm/agenda.cfm?go=session&id=10001976&event=1148

Improving the Shibboleth Identity Provider User Experience
October 05, 2011, 1:15 PM - 2:30 PM
GMT -4 EDT
Location: 301B

    Keith Hazelton , University of Wisconsin-Madison
    William Thompson , Unicon
Session Abstract

Some authentication attempts are known to "fail badly" with poor error 
messaging by the target Service Provider. Google Apps for Education has 
been identified as one example, in which conditions that are definable 
in terms of the value of user attributes provide a poor failure 
experience. Instead, in the case where it is known that the user does 
not have access to Google Apps for Education, the IdP could abort the 
login process with a friendly error message or a redirection to an 
external website. Privacy protections under FERPA provide another 
motivation for a more flexible login experience. Attribute values in 
concert with service identities could trigger the introduction of an 
interstitial message regarding attribute release, but not block the 
users, if they are willing to proceed. Acceptable Use and Password 
Policy enforcement are other examples that would benefit from a flexible 
login experience. This presentation will explore an effort by the 
University of Wisconsin-Madison in partnership with Unicon to provide a 
flexible user experience in the Shibboleth Identity Provider 2.x, based 
on integration with Spring Web Flow. The ultimate goal being a 
configurable and extensible login experience based on user attributes 
and Service Provider metadata.


More information about the users mailing list