Evolving Attribute Release Policies for campuses

Steven Carmody steven_carmody at brown.edu
Wed Apr 6 15:25:58 EDT 2016

I suspect that the differing interpretations of the use of 
RequestedAttributes elements by R&S tagged SPs may be the result of 
cultural differences, and the different legal frameworks that countries 
have with respect to personal privacy. In some of the EU countries the 
common understanding is that an IDP can only release to an SP those 
attributes that are REQUIRED by the SP; that might be a subset of the 
R&S bundle. If the site admins think that's what they're required to do 
by the law .... then they'll likely look at the RequestedAttributes 
elements. If the IDP is here in the US, well, welcome to the wild west !

As an example, one of the centers here at Brown is sponsoring a 
symposium. They have accepted papers from researchers at several 
European universities. The local center wants to give those people 
access to a controlled portion of a local web site. What will those 
campuses release to the Brown site (which only needs EPPN) ? The 
campuses are in Germany, Scotland, Switzerland, Canada, and France.

I need advice from people in those five countries .....

On 4/6/16 10:34 AM, Wessel, Keith wrote:
> I, too, am rather bothered by the apparent contradiction for
> attribute  release for R&S category SPs. I'm told to release the whole bundle of
seven attributes, but then an R&S SP enters RequestedAttributes into
metadata which may or may not be the same seven. Which am I supposed to
follow? Do I send attributes that the SP may not want just because their
R&S and I'm supposed to release the entire bundle? Or do I only send
what they've marked as requested, which I think technically breaks my
obligation as an R&S-adopting IDP.
> Keith

More information about the users mailing list