Configuring Attribute Release Consent with SP blacklist

Terry Smith t.smith at
Tue Apr 12 01:50:33 EDT 2016

Hi Gary,

It is possible to suppress the user consent dialog for specific services.
This provides for backwards compatibility with IdPv2's uApprove's
services/services.blacklist settings, which is the behavior you wish to

The configuration is in the relying-party.xml file and in controlled by
the p:postAuthenticationFlows="attribute-release" which is set in

    <bean parent="Shibboleth.SSO"
p:postAuthenticationFlows="attribute-release" /> and
    <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release"

So in your relying-party.xml add an RelyingPartyOverrides to turn off
attribute-release as follows for each SP where you want to "blacklist" user

    <util:list id="shibboleth.RelyingPartyOverrides">

        <bean parent="RelyingPartyByName"
              c:relyingPartyIds="#{{'', ''}}"
            <property name="profileConfigurations">
                    <bean parent="Shibboleth.SSO"/>
                    <bean parent="SAML2.SSO" />


You will find an empty RelyingPartyOverrides container at the end of the
default relying-party.xml file.


On Tue, Apr 12, 2016 at 2:08 PM, Lipscomb, Gary <glipscomb at>

> We are converting from v2 to v3 and wish to retain the v2 uApprove
> functionality whereby you can provide a blacklist of SP’s to which
> attribute release consent was not required since these are internal SP’s
> whereby consent has already been given by accepting the Universities’ ToU.
> Is this possible in v3? I can’t find anything in the wiki.
> If not is there a workaround with example code?
> Regards
> Gary
> Charles Sturt University
> [image: Charles Sturt University] <>
> ------------------------------
> This email (and any attachment) is confidential and is intended for the
> use of the addressee(s) only. If you are not the intended recipient of this
> email, you must not copy, distribute, take any action in reliance on it or
> disclose it to anyone. Any confidentiality is not waived or lost by reason
> of mistaken delivery. Email should be checked for viruses and defects
> before opening. Charles Sturt University (CSU) does not accept liability
> for viruses or any consequence which arise as a result of this email
> transmission. Email communications with CSU may be subject to automated
> email filtering, which could result in the delay or deletion of a
> legitimate email before it is read at CSU. The views expressed in this
> email are not necessarily those of CSU.
> Charles Sturt University in Australia <> The Grange
> Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708
> 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider Number:
> PV12018
> Consider the environment before printing this email.
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: csu-logo_74f41715-4530-4005-a285-3280d58d5de0.bmp
Type: image/bmp
Size: 37976 bytes
Desc: not available
URL: <>

More information about the users mailing list