Consent-Informed Attribute Release (CAR) Serving SAML and OIDC/Oauth Ken Klingenstein Internet2

Consent-Informed Attribute Release (CAR) A system of components that serves attribute release and consent needs across all protocols – OIDC and OAuth as well as Shib/SAML. Integrates organizational and individual choices for attribute release Support for user consent decisions that are informed, effective, revocable, accessible, etc. Catalyzed by NIST NSTIC grant and now becoming an Internet2 open-source TIER component. Includes UI/UX, enterprise and individual attribute release policy stores, notification and event services, individual and organizational admin interfaces, all accessed through the CARMA API UI/UX well researched, well-designed and well-implemented. Includes Device and browser independent. Device adaptive - works well with mobile apps. i18n and locale Fine-grain controls on attribute release (down to value level of multi-valued attributes), explanations, reconsent options, friendly names and values, etc. User self-serve for consent management, revocation, etc.

CARMA in SAML flow Next-gen UI User Next-gen UI Enterprise Management Console Consent-informed Attribute Release Manager (CARMA) Informed Content Manager IdP TO SP Consent Event records Attribute Release Policy Service For Institutions (ARPSI) Consent Policy Service For Users (COPSU) Attribute Source

CARMA in OAuth flow Next-gen UI User Next-gen UI Enterprise Management Console Consent-informed Attribute Release Manager (CARMA) Informed Content Manager Oauth Client Authorization Server Consent Event records Attribute Release Policy Service For Institutions (ARPSI) Consent Policy Service For Users (COPSU)

UI

UI

What is Informed Content The fuel that drives effective and informed user consent decisions Limited, though extensible sets of marks, assessments, policies, etc. that are part of the UX Icons for IdP and SP SP IsRequired and Optional Attribute Needs Display-names and display-values for attributes Trustmark information Explanatory application-specific dialogue boxes (e.g. why attribute is needed) Privacy and third-party use policy pointer Additional user-centric information feeds Vetted, self-asserted, reputation systems, etc Far-reaching insights - https://arxiv.org/abs/1608.05661

Status and Next Steps The code is in pre-production stage. Central functionalities implemented and tested End-user UI under tweaking; admin and superadmin UI under development HA, packaged in standard TIER Docker containers. Scheduled to go through alpha/beta/1.0 over the next 6-12 months. Enhancements (policy editors, user-managed triggers for reconsent, improved admin interfaces, etc) await. A cycle of code release versions and bug fixes etc awaits

Outcomes Consistent, informed user experience across a variety of platforms and protocols Integration of institutional and individual attributes Location Emergency contact and medical information Personal schedules Managing consent across applications and consent as a service Ability to offer organizational advice to user Providing new options for accessibility Accessibility with Privacy Extending organizational attribute release policy from directory/IdP to other systems of record with bio-demographic attributes. Creates institutional policy repository and service for attribute release

User self-serve management of consent Consent as a user-managed IdP-provided app User authenticates to the consent manager to manage their existing policies, templates, etc. Can review and edit all existing user consent decisions Current release settings View logs and create templates While I’m away management What is released while the user is away - for batch, user-off-line apps, some Oauth flows permit/deny/use advice options

Enterprise management for consent To manage end user presentation, attribute release policy management, user consent policy options, logging, etc. Policy administration tool Will allow editing of organizational attribute release policies within a decentralized authority environment. Aimed at use by policy administrators, sysadmins of SOR Superadmin tool Will manage institution-wide settings Logos and skinning Reconsent triggers Managing opaque values, sensitive attributes and values, blacklist and persona non grata attributes, friendly names and values Can have additional layers of security Aimed for use by IdP/CAR sysadmins

Examples Managing R&S attribute release Adding consent options to other mechanisms for release “Required R&S attributes are released automatically for faculty, though they are informed once; for students, a consent screen is presented with an institutional set of recommendations for what to release” Institution can control who sees a consent screen on a per site basis Can also provide advice to a user based on attributes and group memberships “All students need to visit this alcohol education site. Only FERPA students need to see consent for this site, and we can present advice to them on what is needed” Managing when users need to reconsent “The privacy policy at a relying party has changed” “The value of the attribute you consented to be released has changed” Releasing attributes for access control “Your group membership will be released with consent when visiting a group-restricted site”

Additional information The CAR Team – Marlena Erdos, Rob Carter, Mary McKee, Shilen Patel, Ken Klingenstein https://spaces.internet2.edu/display/ScalableConsent/Scalable+Consent+Home