Configuring Attribute Release Consent with SP blacklist

Etienne Dysli-Metref etienne.dysli-metref at
Wed Apr 13 02:27:06 EDT 2016

On 12/04/16 16:00, Cantor, Scott wrote:
> It's best to attach an EntityAttribute using a metadata filter, and
> then base the policy on the tag.

We've added homeOrg and homeOrgType to our federation metadata so that
IdP operators can easily turn consent off for SPs in their organisation.

<util:list id="shibboleth.RelyingPartyOverrides">
  <!-- ... more beans -->
  <bean id="shibboleth.NoUserConsentRelyingParty"
    <constructor-arg name="candidates">
        <bean id="disableForSingleHomeOrganization"
              p:values="" />
        <!-- ... more beans -->
    <property name="profileConfigurations">
        <ref bean="Shibboleth.SSO" />
        <ref bean="SAML2.SSO" />
        <!-- ... other profiles -->

See [1] pp.22-26 for a bit more details.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the users mailing list