Scenarios

This document categorizes guidance, questions, and tests using these scenarios:

Baseline

Every federation operator, participant, or service should meet these standards. Anonymous, affiliation-only access is supported, but user identification may not always be possible.

Pseudonymous

Not every service provider needs (or wants) to handle personal data, and identity providers have a duty of care for their users’ privacy. Guidance in this category facilitates use cases that include privacy-preserving personalization, etc.

Attributable

Some services must hold their users accountable for their actions within the system, which requires assurances that personal data used for identification, authorization, and accounting is correct, complete, and well-protected.

Regulated

TODO