ok, thanks Ian
Alistair
--
mov eax,1
mov ebx,0
int 80h
> Alistair Young wrote:
>
>> So it's the value of NameIdentifier.
>
> It's the correspondence between that and the end user.
>
>> The way I see it, the logging is a uk federation extension to the
>> Shibboleth profile
>
> No, really, it's not. There's an underlying assumption that the
> assertions you issue contain some identifier that can be used to provide
> accountability at a later date, but that's all. That's not a profile
> extension.
>
>> so it would make sense to document the procedure for
>> fulfilling that clause. Whether it's automatic (unlikely) or via some
>> documented inter-entity process, e.g. "SP admin should email value of
>> NameIdentifier to technical contact at IdP, who should respond with
>> whatever user details are required".
>
> Clause 6.5 doesn't discuss the actual procedure for pursuing errant
> users. It merely asks you to assert that you keep enough information
> that, if necessary, you would be able to hold a user accountable for
> their actions at a later date.
>
> The Rules only really discuss the question of enforcement in 3.5, where
> you agree to "give reasonable assistance". How you do that is largely
> between you and the other party; the Rules don't cover it. You're more
> likely to find such things in the contracts you hold with the service
> providers.
>
>> That's another Q - how much user information to release to the SP admin?
>> Should it be released to the SP admin or should the IdP "deal with the
>> situation"?
>
> Again, not discussed in the Rules but may be part of your contract with
> the SP. My opinion: I would expect that you'd want to have the option
> to deal with minor infractions internally, as handing over personal
> information just because the SP says they want it might well open you to
> legal liability yourselves.
>
> You may find that re-reading section 4 of the federation's
> "Recommendations for Use of Personal Data" (Logfiles) will answer some
> of these questions.
>
> -- Ian
>
|