about-core

geant Allowing the user to define the attribute release policy

It is reasonable to assume that as the identity federations grows the task of maintaining the identity providers attribute release policy increases. Categorizing service providers using entity categories is one attempt to alleviate the burden on the system administrators. Another would be to allow each user to individually control the release of her attributes. User managed access (UMA) is a profile and extension to OAuth 2.0 . UMA defines how resource owners can control protected-resource access by clients operated by arbitrary requesting parties, where the resources reside on any number of resource servers, and where a centralized authorization server governs access based on resource owner policy. Combining SAML2 and UMA might then be one way of allowing individuals to manage their attribute release. But the SAML2+UMA combination may also solve other problems like: having different entities managing different portions of the same dataset or letting an IdP gather information from several different datasets under the same or different policy regimes or having the users information in one central place and then allowing different identity providers access to user controlled views of the users information. This talk will describe a SAML2+UMA implementation and also demonstrate one or more use cases.

Speakers

Authors

  • Roland Hedberg

Part of session

Better safe than private

Related documents