disable consent for R&S SPs

Wessel, Keith kwessel at illinois.edu
Thu Feb 1 10:36:55 EST 2018 

Peter,

We identify R&S SPs with this in profile-intercept.xml:

    <!-- SP is R&S category -->
    <bean id="SPisRandS" parent="shibboleth.Conditions.EntityDescriptor">
	<constructor-arg name="pred">
	    <bean class="org.opensaml.saml.common.profile.logic.EntityAttributesPredicate">
		<constructor-arg>
		    <list>
			<bean class="org.opensaml.saml.common.profile.logic.EntityAttributesPredicate.Candidate"
			    c:name="http://macedir.org/entity-category"
			    p:values="http://refeds.org/category/research-and-scholarship" />
		    </list>
		</constructor-arg>
	    </bean>
	</constructor-arg>
    </bean>

We then check the result of that bean in the activation conditions bean along with several other conditions for our comples consent logic. The full activation conditions bean is below, but you could just incorporate the code from the above directly into the activation conditions bean if your logic is simpler than ours.

    <bean id="ConsentActivationConditions" parent="shibboleth.Conditions.AND">
	<constructor-arg>
	    <list>
		<!-- Default activation condition -->
		<bean parent="shibboleth.Conditions.OR">
		    <constructor-arg>
			<list>
			    <bean parent="shibboleth.Conditions.NOT">
				<constructor-arg value="%{idp.consent.allowPerAttribute:false}" />
			    </bean>
			    <bean class="net.shibboleth.idp.saml.profile.config.logic.IncludeAttributeStatementPredicate" />
			</list>
		    </constructor-arg>
		</bean>
		<!-- Additional activation conditions -->
		<bean parent="shibboleth.Conditions.OR">
		    <constructor-arg>
			<list>
			    <!-- R&S SPs when accessed by  FERPA-suppressed users -->
			    <bean parent="shibboleth.Conditions.AND">
				<constructor-arg>
				    <list>
					<ref bean="SPisRandS"/>
					<ref bean="FERPASuppressedUser"/>
				    </list>
				</constructor-arg>
			    </bean>
			    <!-- Any non-R&S InCommon or eduGAIN SP -->
			    <bean parent="shibboleth.Conditions.AND">
				<constructor-arg>
				    <list>
					<ref bean="InCommonSP" />
					<ref bean="NoConsentNeeded" />
					<bean parent="shibboleth.Conditions.NOT">
					    <constructor-arg>
						<ref bean="SPisRandS"/>
					    </constructor-arg>
					</bean>
				    </list>
				</constructor-arg>
			    </bean>
			    <!-- Select non-federarted SPs -->
			    <ref bean="ConsentRequired"/>
			</list>
		    </constructor-arg>
		</bean>
	    </list>
	</constructor-arg>
    </bean>

Keith

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: Thursday, February 01, 2018 9:25 AM
To: users at shibboleth.net
Subject: disable consent for R&S SPs

Does anyone have such an config ready to disable the attribute-release postAuthenticationFlow IFF the the SP has the R&S entity attribute?
I haven't even looked at the documentation yet, but if you have done that please share. On-list or added to the wiki is fine.

Cheers,
-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list