
Hi Meshna,
On 16.03.21 09:32, Koren, Meshna (ELS-AMS) wrote:
- There's a whole *trust infrastructure* in place for the IdP to be
able to make an informed decision about what to send in SAML assertion in advance; the academic community has been working really hard for the last 20 years to build, maintain, scale and improve it; through federations, REFEDS, Baseline Expectations, CoCo, SIRTFI, etc.
There's room for improvement, it's a process, but what you're saying by inserting a 'pick and choose PII' screen between a user and an article is that as an IdP you essentially don't trust this trust infrastructure, and that a student is able to make a better decision about that than a manager of an IdP... and well, that's just not true.
no, what I'm saying is that the IdP manager/library can or at least should not make that decision on behalf of the user if the PII isn't required and consent is used as a legal basis. The IdP manager/library could try to make that decision for the user, but this could get the IdP manager/library into trouble if a user who doesn't want that PII to be released files a complaint.
And of course there is a legal obligation to at least inform the user about the release of PII, so we can't completely get rid of that screen. I like Peter's idea to inform the user on the SP side, but I think that would be problematic because at that point the PII already has been released.
What I indeed don't trust are the attribute declarations in the federation metadata, partially because of the technical limitations (no OR and therefore no possiblity to declare alternatives) but mainly because there are obviously different opinions about when "required" should be used. My definition would be: if I can omit an attribute and access still works, the attribute is optional, not required.
Best regards, Bernd