Federation - Explicit Notice and Confirmation by Subscriber Prior to Attribute Release, v1.0

Identity Providers must provide subscribers explicit notice and request confirmation prior to transmitting attributes to an RP. If possible, it should allow subscribers to selectively control the transmission of individual attributes.

Assessment Step

Attribute Consent (AttributeConsent)
Does the IdP support sophisticated attribute release and filtering in control of the subscriber? This availability may be technology and use case dependent.
Provide evidence (e.g. policies, operational samples, screenshots) that IdPs support subscriber consent to transmit attributes.

Conformance Criteria (1)

  • When the subscriber is involved in a runtime decision, the subscriber SHALL receive explicit notice and be able to provide positive confirmation before any attributes about the subscriber are transmitted to any RP.
  • At a minimum, the notice SHOULD be provided by the party in the position to provide the most effective notice and obtain confirmation, consistent with ยง9.2.
  • If the protocol in use allows for optional attributes, the subscriber SHALL be given the option to decide whether to transmit those attributes to the RP.
  • An IdP MAY employ mechanisms to remember and re-transmit the exact attribute bundle to the same RP.
NIST SP 800-63C
Section 4.2, Paragraph 6