Hi,

it seems like in the moment Elsevier is safe to go for Pseudonymous Authorisation entity category -
    https://refeds.org/category/pseudonymous
in the SP metadata at eduID.at, RENATER, SWITCHaai, Edugate, LIAF.
And for Anonymous Authorisation entity category -
    https://refeds.org/category/anonymous
in the SP metadata at DFN-AAI, InCommon. 

In eduID.cz we rely on metadata in eduGAIN for service providers with residency outside Czech Republic
as recommended in "How to Join eduGAIN as Service Provider" [1]. In Czech Republic universities, libraries 
are fine with releasing pairwise-id/ePTID for services with personalisation capabilities. So for automated
attributes release for Elsevier we'd need Pseudonymous Authorisation entity category support in Elsevier SP 
metadata in eduGAIN. 

Freiburg University may go for CAR implementation at the university IdP to provide university users 
with optional release of pairwise-id/ePTID according to users consent :-)

Sunny regards from Prague

            Jiri


1. https://wiki.geant.org/display/eduGAIN/How+to+Join+eduGAIN+as+Service+Provider#HowtoJoineduGAINasServiceProvider-WhicheduGAINmemberfederationtojoin


On Mon, Mar 15, 2021 at 8:58 PM Bernd Oberknapp <bo@ub.uni-freiburg.de> wrote:
Hi Peter,

On 15.03.21 20:07, Peter Schober wrote:
 > * Bernd Oberknapp <bo@ub.uni-freiburg.de> [2021-03-15 19:53]:
 >> The point is that we cannot force users to consent to releasing PII
 >> (like a pairwise-id/eduPersonTargetedID) that isn't necessary (if
 >> the user doesn't want to use the personalization) and deny access to
 >> resources necessary for their studies or research if the users don't
 >> give their consent - that again wouldn't be free and informed
 >> consent.
 >
 > Maybe my issues with the paragraph above are due to merely phrasing
 > things in an unfortunate way (I'm not discounting the possibilty that
 > we all agree on these issues), but not knowing that for sure all I
 > have to go on is what's written above. To which I'll say this:
 >
 > You can't ever "force users to consent", obviously.
 > (You can certainly ask them to consent, though. Unless consent is not
 > the legal basis for processing, see below.)
 > And asking for consent in cases where the processing "isn't necessary"
 > is exactly the right case to be asking for consent, IMO.
 > Vice versa, asking for consent to processing that's necessary
 > (e.g. GDPR Art. 6 1 b) is wrong anyway, then the legal bases is not
 > consent and you shouldn't give the impression it is by asking for it.

the wording was indeed unfortunate. What I was trying to say is that if
consent is used as a legal basis, the user must have a choice to not
release the attribute and still get access to the resource (or have an
comparable alternative to the institutional login), and that using a
different legal basis might be difficult.

Best regards,
Bernd

--
Bernd Oberknapp
Gesamtleitung ReDI

Albert-Ludwigs-Universität Freiburg
Universitätsbibliothek
Platz der Universität 2 | Postfach 1629
D-79098 Freiburg        | D-79016 Freiburg

Telefon:  +49 761 203-3852
Telefax:  +49 761 203-3987
E-Mail:   bo@ub.uni-freiburg.de
Internet: www.ub.uni-freiburg.de

_______________________________________________
FIM4L mailing list
FIM4L@lists.daasi.de
http://lists.daasi.de/listinfo/fim4l