allowPerAttribute=true + all unchecked + 8443 = unintended attribute release
Takeshi NISHIMURA
takeshi at nii.ac.jp
Fri Jan 26 18:17:07 EST 2018
This is another issue when enabling the back channel on Shibboleth IdP.
We have experienced odd behavior that resulted in unintended attribute release.
First of all, we are using perAttributeConsentEnabled (idp.consent.allowPerAttribute=true).
In this mode, you can of course uncheck (disapprove) all the attributes that the IdP attempts to release. When someone checks no attribute, he/she expects for the IdP to send only authentication assertion without any attribute assertion.
Actual final result of this situation is that Shibboleth SP gets all the attributes which are displayed in the consent page through Attribute Query, as it is the default behavior of Shibboleth SP when it gets no attribute assertion. It is also the default behavior of Shibboleth IdP to send all the attributes in attribute-filter.xml through Attribute Query, regardless of with or without the user's consent.
Best regards,
Takeshi
More information about the users
mailing list