disable consent for R&S SPs

Peter Schober peter.schober at univie.ac.at
Thu Feb 1 13:41:52 EST 2018 

* Cantor, Scott <cantor.2 at osu.edu> [2018-02-01 18:02]:
> > Does anyone have such an config ready to disable the attribute-release
> > postAuthenticationFlow IFF the the SP has the R&S entity attribute?
> > I haven't even looked at the documentation yet, but if you have done
> > that please share. On-list or added to the wiki is fine.
> 
> I believe there are examples in the wiki for the RelyingPartyByTag
> shortcut I did to assist with that.

Thanks, I didn't think to look there.

> The subtely with RelyingParty rules is that theere are some
> shortcuts there that make it look different from a standard
> activation condition but under the covers that's what it ultimate
> is, so those examples can also be made to apply, which is I believe
> what Keith is doing.
> 
> There are also always multiple places to do it. One could enable the
> interceptor for everybody, but have an activation condition attached
> to the flow descriptor that controls when it runs. It seemed like
> Keith was also doing that. Not sure why one would do both.

I don't claim to understand anything here yet (reading and writing
these things makes my head spin the way XSLT) but the simplest
possible way to do what I asked for seems to be this, solely within
the list/@id="shibboleth.RelyingPartyOverrides" in
conf/relying-party.xml:

<bean parent="RelyingPartyByTag">
  <constructor-arg name="candidates">
    <list>  
      <bean parent="TagCandidate" c:name="http://macedir.org/entity-category"
        p:values="http://refeds.org/category/research-and-scholarship" />
      <bean parent="TagCandidate" c:name="http://macedir.org/entity-category"
        p:values="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
    </list> 
  </constructor-arg>
  <property name="profileConfigurations">
    <list>  
      <bean parent="SAML2.SSO" />
      <ref bean="SAML2.ECP" />
      <ref bean="SAML2.Logout" />
      <ref bean="SAML2.AttributeQuery" />
      <ref bean="SAML2.ArtifactResolution" />
    </list> 
  </property>
</bean>

That would disable consent (or tou) flows for entities with the R&S
and CoCo entity attribute. Probably too simple and not useful by
itself, but it's a start.

Thanks everyone so far.
More examples certainly welcome!
-peter

More information about the users mailing list