attribute release consent based on user attribute?

[Losen, Stephen C. (scl)]

Hi folks,

>From what I've seen, it is not possible to control attribute consent with an attribute.  We might find such a feature useful, since we have a "privacy" flag in our LDAP that allows a person to keep his/her LDAP info "more confidential", i.e., not appear in "people searches", etc.  We have some attr release filters that check this flag.  Basically, if you have the privacy flag set, then the IDP won't release certain attributes, which means that the SP may not give you access.  Oh well.  I would like to do something else.  If a person has the privacy flag set, then ask for consent.  For the vast majority of folks who have not set this flag, do not ask for consent.  I suppose we could enable consent for everyone and most folks would specify "never ask me again".  But when we roll out IDP v3 we will need to publicize/document this change, and our helpdesk would probably get a lot of calls, etc.  If we could confine this to folks with the privacy flag set, then we could send them targeted email.

Some might consider this suggestion to be the thin end of the wedge.  Do you control consent with a single attribute value or do you allow complex combinations of attribute values, like in the attribute filter rules?  You could get around this by only allowing a single attribute value, and for folks who need more complex logic, they can define a "pseudo attribute" in attribute-resolver.xml that is set according to their complex logic.

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at virginia.edu    434-924-0640