[WG-eGov] Another NZ request: Consent Services
Mikael Linden
Mikael.Linden at csc.fi
Thu Mar 31 03:58:54 EDT 2011
>In the EU I know that there are situations when consent must be given to the RP before it asks for the authentication.
In the eduGAIN project (which is "the STORK for European higher education and research"), we have recently studied the EU data protection directive's implications to federated identity management, including user consent for attribute release from SAML IdP to SP:
http://www.edugain.org/policy/edugain_policy_build20110124/data_protection_profile_20101215.pdf
In short, according to the EU DP directive, attribute release is based either on user's informed consent or necessity. National interpretations vary; in some countries consent seems to be the primary way, in others consent is used as the last resort and attribute release should be based on necessity, whenever possible.
In research and higher education, the consent is typically given not to the SP but to the IdP before it releases any attributes to the SP. In the front-channel binding of the SAML2 Authentication request protocol, it is easy to implement.
Cheers,
mikael
More information about the WG-eGov
mailing list