...
In all Shibboleth releases up through the current one (2.1), attribute release is solely managed by a site administrator who maintains the Attribute Filtering Policies (AFPs). These policies are generally written so that they apply to a given SP or group of SPs. There are some problems with this approach:
- SPs can not cannot always be grouped but in order to simplify AFP rule management; however, writing a unique policy for each SP is not administratively scalable
- Administrators must be aware of new SPs that come online and make sure that existing policies release only the appropriate data.
- User's are not involved in the process that releases their information. They can not cannot opt-out of this release.
The proposed solution is:
...
We think this will make use of the SWITCH ArpViewer highly scalable. A site will decide which of the attributes , list listed in an SPs metadata , can be released without further rules. The ArpViewer can the then be used to gain user consent for this release. Note that this approach requires a change in how Federations maintain their metadata -- they would have to populate theĀ AttributeConsumingService element of the SPs in their metadata.
...