Attribute consent flow activation based on relying party and user attribute

Wessel, Keith kwessel at illinois.edu
Wed Jul 20 21:55:35 EDT 2016


Thanks, Scott. That makes sense.

So, sounds like the starting point, as I suspected, is going to be in the profile-intercept.xml. There are some good samples out there, but what kind of code would I use if I wanted to, say, match a given entity tag or (I know this isn't advisable long-term) entity group in the activation conditions?

Keith

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Wednesday, July 20, 2016 5:26 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: Attribute consent flow activation based on relying party and user attribute

> We're wanting to trigger user attribute release consent based on a set of
> conditions involving both the SP (or entity tag) and/or the user's FERPA
> suppression state.

Yes, same for me (not doing it yet, but planning to).

> Should I possibly be triggering consent based on relying party in the profile-
> intercept.xml so I can have my logic in the same place as the attribute-based
> activation? That sounds as messy as trying to write a custom bean that
> activates based on FERPA suppression attributes in relying-party.xml. After
> all, an attribute indicating a user is FERPA-suppressed has nothing to do with
> relying parties.

Well, you can't choose a RP based on the user, because the user's not known that early. So if that helps...
 
> The end goal is to have some requests activate the consent flow for all users,
> others for only FERPA-suppressed users, and others not at all, based on the
> SP or SP tags.

I prefer locality of reference for my rules, personally, not spreading things around. Keep in mind you can write code freely here, so you could always use flat file lists of entityIDs or bean-defined lists of them to perform logic against the same list in multiple places too. Really just depends, mostly personal preference and situational. You have about ten places to attach conditions for any given rule, so the problem is just too much flexibility I guess, but I wouldn't really get too hung up over it. You can always just adjust it later.

-- Scott

-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list