Identity Provider question
Benji Wakely
B.Wakely at latrobe.edu.au
Tue May 20 20:22:58 EDT 2014
As an example, the Australian Access Federation (which we're part of) has the following attributes that
an IdP must technically be able to populate:
http://aaf.edu.au/technical/aaf-core-attributes/
Of these attributes,
Service Providers must justify to the AAF why they need certain attributes,
and if so, will be allowed to request those attributes from an IdP
(the AAF takes care of metadata on behalf of the IdPs / is regularly synchronised.)
Additionally, at La Trobe, we've installed uApprove:
https://www.switch.ch/aai/support/tools/uApprove.html
which compels the user to acknowledge and approve of their individual attributes
that are being released - if they're ultimately not comfortable with it,
they can refuse consent.
--Benji
Benji Wakely <b.wakely at latrobe.edu.au>
Unix Systems Administrator
La Trobe University
+613 9479 5499
+614 34 307 667
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Nate Klingenstein
Sent: Wednesday, 21 May 2014 3:53 AM
To: Shib Users
Subject: Re: Identity Provider question
Walter,
I am trying to get more information on Identity Provider. Is there a list of the information that Identity Provider provides about users who opt to allow us to see this information?
Any given identity provider(IdP) is operated directly by the organization that it asserts information on behalf of, so there is no one "Identity Provider". Any IdP can release as little or as much information as desired to any service. You can make a request for specific attributes but you'll need logic to handle instances where you don't get it. The attributes available generally include inetOrgPerson and eduPerson as a baseline, and many IdP's support additional attributes.
Is there any indication of what percentage of users opt to allow this service?
Most IdP's in academia operate under the principle that attribute release is a required part of delivering educational services and don't explicitly prompt the user for further consent. Some IdP's do request consent and there are widely used implementations for this for Shibboleth. We don't have any statistics regarding consent from them.
Hope this helps,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140521/8af8265d/attachment-0001.html
More information about the users
mailing list