Evolving Attribute Release Policies for campuses
steven_carmody at brown.edu
Wed Apr 6 15:25:58 EDT 2016
I suspect that the differing interpretations of the use of
RequestedAttributes elements by R&S tagged SPs may be the result of
cultural differences, and the different legal frameworks that countries
have with respect to personal privacy. In some of the EU countries the
common understanding is that an IDP can only release to an SP those
attributes that are REQUIRED by the SP; that might be a subset of the
R&S bundle. If the site admins think that's what they're required to do
by the law .... then they'll likely look at the RequestedAttributes
elements. If the IDP is here in the US, well, welcome to the wild west !
As an example, one of the centers here at Brown is sponsoring a
symposium. They have accepted papers from researchers at several
European universities. The local center wants to give those people
access to a controlled portion of a local web site. What will those
campuses release to the Brown site (which only needs EPPN) ? The
campuses are in Germany, Scotland, Switzerland, Canada, and France.
I need advice from people in those five countries .....
On 4/6/16 10:34 AM, Wessel, Keith wrote:
> I, too, am rather bothered by the apparent contradiction for
> attribute release for R&S category SPs. I'm told to release the whole bundle of
seven attributes, but then an R&S SP enters RequestedAttributes into
metadata which may or may not be the same seven. Which am I supposed to
follow? Do I send attributes that the SP may not want just because their
R&S and I'm supposed to release the entire bundle? Or do I only send
what they've marked as requested, which I think technically breaks my
obligation as an R&S-adopting IDP.
More information about the users