Versions Compared

Old Version 1

changes.mady.by.user Mikael Linden

Saved on

compared with

New Version Current

changes.mady.by.user Peter Brand

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: unlink rediris

...

There are other attributes where the values are intentionally opaque (e.g. eduPersonEntitlement="urn:mace:rediris.es:entitlement:wiki:tfemc2"). It is NOT reasonable to expect the end user to understand what this value means and to pick up a particular value to be released. Instead, natural language descriptions of the values should be provided.

...

  1. The user MUST be informed of the attribute release separately for each Service.
  2. The user MUST be presented with the mdui:DisplayName value for the Service, if it is available.
  3. The user MUST be presented with the mdui:Description value for the Service, if it is available.
  4. The user SHOULD be presented with the mdui:Logo image for the Service, if it is available.
  5. The user MUST be provided with access (e.g. a clickable link) to the document referenced by the mdui:PrivacyStatementURL.
  6. The IdP MUST present a list of the RequestedAttributes defined as NECESSARY. No user consent is expected before release. (However, given how web browsers work, the user may have to click a CONTINUE button in order to continue in the sequence.)
    The IdP MAY list the NECESSARY attributes on the same screen as the username/password entry boxes, making clear that if you login then this is what will happen. It MUST be clear to the user that the consequence of their next action will be to release the attributes. NOTE -- the attribute values for the specific user are not available when the login screen is presented, since the user's identity is not yet known.
  7. The display software SHOULD provide the ability to configure and display localised descriptions of the attributes (e.g. what PersistentID means) and their values (e.g. what eduPersonEntitlement="urn:mace:rediris.es:entitlement:wiki:tfemc2" means)
  8. The display software MAY inform the user of the release of an "attribute group" (eg attributes expressing the user's "name"), and then release all requested attributes in the group (e.g. various forms of the user's name such as cn, sn, givenName and displayName).
  9. The display software MAY give the user the option to remember that they have been INFORMed of the release of the necessary attributes.
  10. If any of the following has changed since the user accessed this SPO for the last time, the user MUST be prompted again for the INFORM interaction
    1. the list of attributes the SPO requests
    2. the DisplayName of the SPO
    3. the Description of the SPO

...

The lang attribute of the mdui elements can be used to match the user's preferred language settings.

Sample notification

Example of how a Home Organisation should inform End Users and provide an opt-out opportunity before Attributes are released to a new Service Provider Organisation. Clicking the Service Provider Organisation’s name leads to its Privacy policy page.

Footnotes

[1] Opinion 15/2011 on the definition of consent, p.20.

...