Presentation is loading. Please wait.

Presentation is loading. Please wait.

Consent-Informed Attribute Release (CAR) Serving SAML and OIDC/Oauth

Published byRudolph Mitchell Modified over 6 years ago

Similar presentations

Presentation on theme: "Consent-Informed Attribute Release (CAR) Serving SAML and OIDC/Oauth"— Presentation transcript:

1 Consent-Informed Attribute Release (CAR) Serving SAML and OIDC/Oauth
Ken Klingenstein Internet2

2 Consent-Informed Attribute Release (CAR)
A system of components that serves attribute release and consent needs across all protocols – OIDC and OAuth as well as Shib/SAML. Integrates organizational and individual choices for attribute release Support for user consent decisions that are informed, effective, revocable, accessible, etc. Catalyzed by NIST NSTIC grant and now becoming an Internet2 open-source TIER component. Includes UI/UX, enterprise and individual attribute release policy stores, notification and event services, individual and organizational admin interfaces, all accessed through the CARMA API UI/UX well researched, well-designed and well-implemented. Includes Device and browser independent. Device adaptive - works well with mobile apps. i18n and locale Fine-grain controls on attribute release (down to value level of multi-valued attributes), explanations, reconsent options, friendly names and values, etc. User self-serve for consent management, revocation, etc.

3 CARMA in SAML flow Next-gen UI
User Next-gen UI Enterprise Management Console Consent-informed Attribute Release Manager (CARMA) Informed Content Manager IdP TO SP Consent Event records Attribute Release Policy Service For Institutions (ARPSI) Consent Policy Service For Users (COPSU) Attribute Source

4 CARMA in OAuth flow Next-gen UI
User Next-gen UI Enterprise Management Console Consent-informed Attribute Release Manager (CARMA) Informed Content Manager Oauth Client Authorization Server Consent Event records Attribute Release Policy Service For Institutions (ARPSI) Consent Policy Service For Users (COPSU)

5

6 UI

7 UI

8 What is Informed Content
The fuel that drives effective and informed user consent decisions Limited, though extensible sets of marks, assessments, policies, etc. that are part of the UX Icons for IdP and SP SP IsRequired and Optional Attribute Needs Display-names and display-values for attributes Trustmark information Explanatory application-specific dialogue boxes (e.g. why attribute is needed) Privacy and third-party use policy pointer Additional user-centric information feeds Vetted, self-asserted, reputation systems, etc Far-reaching insights -

9 Status and Next Steps The code is in pre-production stage.
Central functionalities implemented and tested End-user UI under tweaking; admin and superadmin UI under development HA, packaged in standard TIER Docker containers. Scheduled to go through alpha/beta/1.0 over the next 6-12 months. Enhancements (policy editors, user-managed triggers for reconsent, improved admin interfaces, etc) await. A cycle of code release versions and bug fixes etc awaits

10 Outcomes Consistent, informed user experience across a variety of platforms and protocols Integration of institutional and individual attributes Location Emergency contact and medical information Personal schedules Managing consent across applications and consent as a service Ability to offer organizational advice to user Providing new options for accessibility Accessibility with Privacy Extending organizational attribute release policy from directory/IdP to other systems of record with bio-demographic attributes. Creates institutional policy repository and service for attribute release

11 User self-serve management of consent
Consent as a user-managed IdP-provided app User authenticates to the consent manager to manage their existing policies, templates, etc. Can review and edit all existing user consent decisions Current release settings View logs and create templates While I’m away management What is released while the user is away - for batch, user-off-line apps, some Oauth flows permit/deny/use advice options

12 Enterprise management for consent
To manage end user presentation, attribute release policy management, user consent policy options, logging, etc. Policy administration tool Will allow editing of organizational attribute release policies within a decentralized authority environment. Aimed at use by policy administrators, sysadmins of SOR Superadmin tool Will manage institution-wide settings Logos and skinning Reconsent triggers Managing opaque values, sensitive attributes and values, blacklist and persona non grata attributes, friendly names and values Can have additional layers of security Aimed for use by IdP/CAR sysadmins

13 Examples Managing R&S attribute release
Adding consent options to other mechanisms for release “Required R&S attributes are released automatically for faculty, though they are informed once; for students, a consent screen is presented with an institutional set of recommendations for what to release” Institution can control who sees a consent screen on a per site basis Can also provide advice to a user based on attributes and group memberships “All students need to visit this alcohol education site. Only FERPA students need to see consent for this site, and we can present advice to them on what is needed” Managing when users need to reconsent “The privacy policy at a relying party has changed” “The value of the attribute you consented to be released has changed” Releasing attributes for access control “Your group membership will be released with consent when visiting a group-restricted site”

14 Additional information
The CAR Team – Marlena Erdos, Rob Carter, Mary McKee, Shilen Patel, Ken Klingenstein

Download ppt "Consent-Informed Attribute Release (CAR) Serving SAML and OIDC/Oauth"

Similar presentations

New Release Announcements and Product Roadmap Chris DiPierro, Director of Software Development April 9-11, 2014

New Release Announcements and Product Roadmap Chris DiPierro, Director of Software Development April 9-11, 2014
WHY CMS? WHY NOW? CONTENT MANAGEMENT SYSTEM. CMS OVERVIEW Why CMS? What is it? What are the benefits and how can it help me? Centralia College web content.

WHY CMS? WHY NOW? CONTENT MANAGEMENT SYSTEM. CMS OVERVIEW Why CMS? What is it? What are the benefits and how can it help me? Centralia College web content.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
The Business Value of CA Solutions Ovidiu VALEANU Senior Consultant DNA Software – CA Regional Representative.

The Business Value of CA Solutions Ovidiu VALEANU Senior Consultant DNA Software – CA Regional Representative.
CS 5150 1 CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.

CS CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
Midwest Documentum User Group Harley-Davidson Documentum WCM 10/10/2006.

Midwest Documentum User Group Harley-Davidson Documentum WCM 10/10/2006.
REDCap Overview Institute for Clinical and Translational Science Heath Davis Fred McClurg Brian Finley.

REDCap Overview Institute for Clinical and Translational Science Heath Davis Fred McClurg Brian Finley.
OAuth option for mHealth Brief Profile Proposal for 2013/14 presented to the IT Infrastructure Planning Committee R Horn (Agfa Healthcare)

OAuth option for mHealth Brief Profile Proposal for 2013/14 presented to the IT Infrastructure Planning Committee R Horn (Agfa Healthcare)
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.
First Look Clinic: What’s New for IT Professionals in Microsoft® SharePoint® Server 2013 Sayed Ali (MCTS, MCITP, MCT, MCSA, MCSE )

First Look Clinic: What’s New for IT Professionals in Microsoft® SharePoint® Server 2013 Sayed Ali (MCTS, MCITP, MCT, MCSA, MCSE )
HTML+JavaScript M2M Applications Viewbiquity Public hybrid cloud platform for automating and visualizing everything.

HTML+JavaScript M2M Applications Viewbiquity Public hybrid cloud platform for automating and visualizing everything.
Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.

Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.
Copyright ©2012 Ping Identity Corporation. All rights reserved.1.

Copyright ©2012 Ping Identity Corporation. All rights reserved.1.
ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security
Siteman Cancer Center at Barnes-Jewish Hospital and Washington University School of Medicine Cancer Center Administration Database.

Siteman Cancer Center at Barnes-Jewish Hospital and Washington University School of Medicine Cancer Center Administration Database.
Chad La Joie Shibboleth’s Future.

Chad La Joie Shibboleth’s Future.
123456789101112…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.

…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.
1 Chapter Overview Publishing Resources in Active Directory Service Redirecting Folders Using Group Policies Deploying Applications Using Group Policies.

1 Chapter Overview Publishing Resources in Active Directory Service Redirecting Folders Using Group Policies Deploying Applications Using Group Policies.

Similar presentations

Ads by Google