Configuring Attribute Release Consent with SP blacklist
Etienne Dysli-Metref
etienne.dysli-metref at switch.ch
Wed Apr 13 02:27:06 EDT 2016
On 12/04/16 16:00, Cantor, Scott wrote:
> It's best to attach an EntityAttribute using a metadata filter, and
> then base the policy on the tag.
We've added homeOrg and homeOrgType to our federation metadata so that
IdP operators can easily turn consent off for SPs in their organisation.
<util:list id="shibboleth.RelyingPartyOverrides">
<!-- ... more beans -->
<bean id="shibboleth.NoUserConsentRelyingParty"
parent="RelyingPartyByTag">
<constructor-arg name="candidates">
<list>
<bean id="disableForSingleHomeOrganization"
parent="TagCandidate"
c:name="urn:oid:2.16.756.1.2.5.1.1.4"
p:values="example.org" />
<!-- ... more beans -->
</list>
</constructor-arg>
<property name="profileConfigurations">
<list>
<ref bean="Shibboleth.SSO" />
<ref bean="SAML2.SSO" />
<!-- ... other profiles -->
</list>
</property>
</bean>
</util:list>
See [1] pp.22-26 for a bit more details.
Etienne
[1]
https://www.switch.ch/aai/support/presentations/shibboleth-training-2015/T3P09-User_Consent.pdf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://shibboleth.net/pipermail/users/attachments/20160413/df953c8a/attachment-0001.sig>
More information about the users
mailing list