Consent-Informed Attribute Release (CAR)
Serving SAML and OIDC/Oauth
Ken Klingenstein
Internet2
Consent-Informed Attribute Release (CAR)
• A system of components that serves attribute release and consent needs across all protocols
– OIDC and OAuth as well as Shib/SAML.
– Integrates organizational and individual choices for attribute release
– Support for user consent decisions that are informed, effective, revocable, accessible, etc.
• Catalyzed by NIST NSTIC grant and now becoming an Internet2 open-source TIER component.
• Includes UI/UX, enterprise and individual attribute release policy stores, notification and
event services, individual and organizational admin interfaces, all accessed through the
CARMA API
• UI/UX well researched, well-designed and well-implemented. Includes
– Device and browser independent. Device adaptive - works well with mobile apps. i18n and locale
– Fine-grain controls on attribute release (down to value level of multi-valued attributes),
explanations, reconsent options, friendly names and values, etc.
– User self-serve for consent management, revocation, etc.
CARMA in SAML flow
User
Enterprise Management
Console
Next-gen UI
Consent-informed
Attribute Release
Manager
(CARMA)
TO
SP
IdP
Consent
Event
records
Attribute Release
Policy Service For
Institutions (ARPSI)
Attribute Source
Informed
Content
Manager
Consent Policy
Service For Users
(COPSU)
CARMA in OAuth flow
User
Enterprise Management
Console
Next-gen UI
Consent-informed
Attribute Release
Manager
(CARMA)
Oauth Client
Authorization
Server
Informed
Content
Manager
Consent
Event
records
Attribute Release
Policy Service For
Institutions (ARPSI)
Consent Policy
Service For Users
(COPSU)
institutio
nal
policy
user
policy
COPSU
policy
REST
apis
metapolicy
decision
REST
api
decision
REST
apis
reorder
policy
updates
decision request
CARMA
decision
REST
apis
Resource
decision request
Holder
(IDP, OP, etc.)
policy
REST
api
ARPSI
order
api
decision request
order
api
reorder
policy
updates
UIs
intercept
selfservice
Self-service
User
Relying
Party
(SP, app, etc.)
RP
User
policy
REST
api
policy
updates
UI
UI
What is Informed Content
• The fuel that drives effective and informed user consent decisions
• Limited, though extensible sets of marks, assessments, policies, etc. that are part of the
UX
–
–
–
–
–
–
–
Icons for IdP and SP
SP IsRequired and Optional Attribute Needs
Display-names and display-values for attributes
Trustmark information
Explanatory application-specific dialogue boxes (e.g. why attribute is needed)
Privacy and third-party use policy pointer
Additional user-centric information feeds
• Vetted, self-asserted, reputation systems, etc
• Far-reaching insights - https://arxiv.org/abs/1608.05661
Status and Next Steps
• The code is in pre-production stage.
– Central functionalities implemented and tested
– End-user UI under tweaking; admin and superadmin UI under development
• HA, packaged in standard TIER Docker containers. Scheduled to go through
alpha/beta/1.0 over the next 6-12 months.
• Enhancements (policy editors, user-managed triggers for reconsent, improved admin
interfaces, etc) await.
• A cycle of code release versions and bug fixes etc awaits
Outcomes
• Consistent, informed user experience across a variety of platforms and protocols
• Integration of institutional and individual attributes
– Location
– Emergency contact and medical information
– Personal schedules
• Managing consent across applications and consent as a service
• Ability to offer organizational advice to user
• Providing new options for accessibility
– Accessibility with Privacy
• Extending organizational attribute release policy from directory/IdP to other systems of
record with bio-demographic attributes.
• Creates institutional policy repository and service for attribute release
User self-serve management of consent
• Consent as a user-managed IdP-provided app
• User authenticates to the consent manager to manage their existing policies, templates, etc.
• Can review and edit all existing user consent decisions
– Current release settings
– View logs and create templates
• While I’m away management
– What is released while the user is away - for batch, user-off-line apps, some Oauth flows
– permit/deny/use advice options
Enterprise management for consent
• To manage end user presentation, attribute release policy management, user consent policy
options, logging, etc.
• Policy administration tool
– Will allow editing of organizational attribute release policies within a decentralized authority
environment.
– Aimed at use by policy administrators, sysadmins of SOR
• Superadmin tool
– Will manage institution-wide settings
• Logos and skinning
• Reconsent triggers
• Managing opaque values, sensitive attributes and values, blacklist and persona non grata attributes,
friendly names and values
– Can have additional layers of security
– Aimed for use by IdP/CAR sysadmins
Examples
• Managing R&S attribute release
– Adding consent options to other mechanisms for release
– “Required R&S attributes are released automatically for faculty, though they are informed once; for
students, a consent screen is presented with an institutional set of recommendations for what to
release”
• Institution can control who sees a consent screen on a per site basis
– Can also provide advice to a user based on attributes and group memberships
– “All students need to visit this alcohol education site. Only FERPA students need to see consent for
this site, and we can present advice to them on what is needed”
• Managing when users need to reconsent
– “The privacy policy at a relying party has changed”
– “The value of the attribute you consented to be released has changed”
• Releasing attributes for access control
– “Your group membership will be released with consent when visiting a group-restricted site”
Additional information
• The CAR Team – Marlena Erdos, Rob Carter, Mary McKee, Shilen Patel, Ken Klingenstein
• https://spaces.internet2.edu/display/ScalableConsent/Scalable+Consent+Home