Tuesday, May 09, 2006

Identity Selector sequence

An interesting animated sequence portraying an identity selector in action. Before releasing some identity to a Service Provider, the user is given the opportunity to view the identity that will be shared, and to edit this set. Normal stuff.

What I find interesting is how the mock-up also shows how the SP can 'make its case' to the user by describing how the services being offered may be contingent on what identity pieces are shared. So, for instance, when the user decides not to share their email address with the SP, the available levels of service (each with different permissions attached) the SP is willing to provide changes accordingly. With knowledge of the consequences of withholding particular identity bits, the user is able to make an 'informed consent' decision about its release.

But I don't know of any identity protocols that explicitly support the SP providing this sort of 'offer' information when it requests identity from an IDP. Are there?

Given that the demo portrays a Shib-based system, perhaps Sibboleth added this piece to SAML? I've never heard of such an extension. More likely is that the SP has simply communicated these rules to the IDP beforehand so that the IDP effectively advertises the policy to the user. Not a particularly dynamic model.

No comments: