Configuring Attribute Release Consent with SP blacklist

Lipscomb, Gary glipscomb at csu.edu.au
Wed Apr 13 01:57:42 EDT 2016 

Hi,

I've added the following override [1] in relying-party.xml but it is still defaulting to the consent release. A snippet from the log [2] below as well.
Have I missed something?

Regards

Gary

[1] relying-party.xml override

        <bean parent="RelyingPartyByName"
              c:relyingPartyIds="#{{'https://AAAAdevel.csu.edu.au/shibboleth', 'BBBBdevel.csu.edu.au/shibboleth'}}">
            <property name="profileConfigurations">
                <list>
                    <ref bean="Shibboleth.SSO" />
                    <ref bean="SAML1.AttributeQuery" />
                    <ref bean="SAML1.ArtifactResolution" />
                    <ref bean="SAML2.SSO" />
                    <ref bean="SAML2.ECP" />
                    <ref bean="SAML2.Logout" />
                    <ref bean="SAML2.AttributeQuery" />
                    <ref bean="SAML2.ArtifactResolution" />
                </list>
            </property>
        </bean>

[2] idp-process.log

2016-04-13 15:47:20,373 - DEBUG [net.shibboleth.idp.saml.profile.impl.InitializeRelyingPartyContextFromSAMLPeer:132] - Profile Action InitializeRelyingPartyContextFromSAMLPeer: Attaching RelyingPartyContext based on SAML peer https://AAAAdevel.csu.edu.au/shibboleth

2016-04-13 15:47:20,398 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:293] - Resolving relying party configuration

2016-04-13 15:47:20,399 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:305] - Checking if relying party configuration EntityNames[#('https://AAAAdevel.csu.edu.au/shibboleth','BBBBdevel.csu.edu.au/shibboleth'),] is applicable

2016-04-13 15:47:20,399 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:310] - Relying party configuration EntityNames[#('https://AAAAdevel.csu.edu.au/shibboleth','BBBBdevel.csu.edu.au/shibboleth'),] is not applicable

2016-04-13 15:47:20,399 - DEBUG [net.shibboleth.idp.relyingparty.impl.DefaultRelyingPartyConfigurationResolver:314] - No relying party configurations are applicable, returning the default configuration shibboleth.DefaultRelyingParty

2016-04-13 15:47:20,399 - DEBUG [net.shibboleth.idp.profile.impl.SelectRelyingPartyConfiguration:136] - Profile Action SelectRelyingPartyConfiguration: Found relying party configuration shibboleth.DefaultRelyingParty for request



From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Terry Smith
Sent: Tuesday, 12 April 2016 15:51
To: Shib Users <users at shibboleth.net>
Subject: Re: Configuring Attribute Release Consent with SP blacklist

Hi Gary,

It is possible to suppress the user consent dialog for specific services. This provides for backwards compatibility with IdPv2's uApprove's services/services.blacklist settings, which is the behavior you wish to retain.

The configuration is in the relying-party.xml file and in controlled by the p:postAuthenticationFlows="attribute-release" which is set in

    <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" /> and
    <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />

So in your relying-party.xml add an RelyingPartyOverrides to turn off attribute-release as follows for each SP where you want to "blacklist" user consent.

    <util:list id="shibboleth.RelyingPartyOverrides">

        <bean parent="RelyingPartyByName"
              c:relyingPartyIds="#{{'https://a.example.com/shibboleth', 'https://b.example.com/shibboleth'}}">
            <property name="profileConfigurations">
                <list>
                    <bean parent="Shibboleth.SSO"/>
                    <bean parent="SAML2.SSO" />
                </list>
            </property>
        </bean>

    </util:list>

You will find an empty RelyingPartyOverrides container at the end of the default relying-party.xml file.

Thanks,
Terry.

On Tue, Apr 12, 2016 at 2:08 PM, Lipscomb, Gary <glipscomb at csu.edu.au> wrote:
We are converting from v2 to v3 and wish to retain the v2 uApprove functionality whereby you can provide a blacklist of SP’s to which attribute release consent was not required since these are internal SP’s whereby consent has already been given by accepting the Universities’ ToU.

Is this possible in v3? I can’t find anything in the wiki.
If not is there a workaround with example code?

Regards

Gary

Charles Sturt University



|   ALBURY-WODONGA   |   BATHURST   |   CANBERRA   |   DUBBO   |   GOULBURN   |   MELBOURNE   |   ORANGE   |   PORT MACQUARIE   |   SYDNEY   |   WAGGA WAGGA   |
________________________________________
LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University (CSU) does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at CSU. The views expressed in this email are not necessarily those of CSU.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider Number: PV12018
Consider the environment before printing this email.

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


Charles Sturt University

| ALBURY-WODONGA | BATHURST | CANBERRA | DUBBO | GOULBURN | MELBOURNE | ORANGE | PORT MACQUARIE | SYDNEY | WAGGA WAGGA |

LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University (CSU) does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at CSU. The views expressed in this email are not necessarily those of CSU.

Charles Sturt University in Australia
http://www.csu.edu.au
The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795
(ABN: 83 878 708 551; CRICOS Provider Numbers: 00005F (NSW), 01947G (VIC), 02960B (ACT)). TEQSA Provider Number: PV12018


Consider the environment before printing this email.

More information about the users mailing list