> "Do you want to let the Service Provider know your email address?" is
> what
> they should be asked and the IdP should do that mapping. But then
> again,
> IdPs don't know what attributes the SP wants. Most SPs take a
IdP can know about what attributes required (via RequestedAttribute) and
display them with the usage of "friendlyName", at least that's what
we've been playing around in both Autograph and ShARPE.
> blunderbuss
> approach, getting the IdP to release everything and then sifting to
see
> if
> what has arrived is enough to grant access.
>
Autograph/ShARPE bring this to the level where users are informed
whether they're going to get the service or not, based on the publicized
attribute requirements in the SP and user's willingness of releasing
whatever required attributes. This allows user to tune what they're
willing to give up in attributes to gain access to the service.
> Remember that your first name can be transported in any number of
> attributes depending on which SP wants it. So you should be asked
about
> your first name, not your
> urn:very:long:urn:eduThingyNeverHeardOfThatAttribute.
>
Ignoring how the attributes are transported, as long they come back as
attribute request from SP to IdP, then the cryptic format is only for
the purpose of transport layer.
Management of attribute mappings in ShARPE (done by admin) allows any of
your:very:funny:urnThingy to be mapped to any another:funny:urnThingy
and for user not to know anything about it (only the friendlyname
perhaps).
|