If I understand the use-case correctly it is all about statistics: how many users of the organisation have been using which offerings. And after having collected such stats in a trial period, the contract will only include those offerings that have been used often enough. If the publisher's software that does such stats, only counts on IP-range basis, it will need to be modified. I don't think that client IP address helps in the SAML case, but may be I missed what you wanted to say.
Cheers,
Peter G.
Am 05.04.19 um 18:24 schrieb Peter Schober:
- Peter peter.gietz@daasi.de [2019-04-05 18:13]:
How are we to fix such issues? Should we have sentences like "publishers who push for FIM should also align their software offerings accordingly"
I don't even understand why they should be able to provide such stats for non-personally identifiable access from IP ranges but not for non-personally identifiable access from any IP address but authorised by a SAML IDP: In both cases they have the client IP addresses, in both cases they need to perform authorisation checks (IP, SAML attribute), in both cases they lack an identifier to reliably map access requests to individuals.
The ask would therefore be to fix the system to provide stats consistently, no matter the access method. Because there's no technical reason this couldn't be done in those two scenarios.
-peter _______________________________________________ FIM4L mailing list FIM4L@lists.daasi.de http://lists.daasi.de/listinfo/fim4l