NameID from Subject
Lukas Hämmerle
lukas.haemmerle at switch.ch
Thu Aug 7 09:32:57 EDT 2014
> just one question to uApprove usage here:
>
>> Therefore, not only the liveness of a user can be checked but the
>> SP will get the most-up-to-date attributes from that user.
>>
>> The user must have accessed the SP at least once (and depending on
>> the IdP he had to also consent that his attributes are released to
>> this SP).
>
> I thought that uApprove also stores hashed attribute values, and the
> user must give his consent again if any values have changed.
Yes, this is the case in the current versions of uApprove if the user is
authenticating at the IdP.
> So what happens if you query attributes from a user whose attributes
> have changed since his last consent?
uApprove does not interfere during a SAML attribute query. So, the
attributes will be released if they have changed or not. This is indeed
a bit problematic because a user could revoke his consent for a
particular SP but that SP then still could make attribute queries to get
that user's attribute.
On the other hand, because the user must have at least once accessed the
SP, that SP already got all the user's attributes. Also, one of the
purposes of making attribute queries is exactly to get up-to-date user
information. If uApprove would block this because the user has not given
consent yet, this whole feature would become obsolete.
Best Regards
Lukas
--
SWITCH
Lukas Hämmerle, Central Solutions
GÉANT Project Task Leader "Enabling Users"
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 05, direct +41 44 268 15 64
lukas.haemmerle at switch.ch, http://www.switch.ch
More information about the users
mailing list