uApproveJP (Re: "Password leak at Elsevier")

Peter Schober peter.schober at
Thu Apr 11 07:41:39 EDT 2019

* Takeshi NISHIMURA <takeshi at> [2019-04-11 13:22]:
> Our uApproveJP supports optional release according to
> isRequired="false" in <RequestedAttribute> in SP's metadata.

Thanks, Takeshi, this is a step forward in potentially making
per-attribute consent workable. I'm looking forward to seeing this
functionality being contributed to and included in future Shibboleth
IDP releases.

(This will still suffer from the usual isRequired issues, i.e., the
inability of RequestedAttribute elements to express extremely common
patterns such as "At least 1 out of these 3 attributes is required",
but that's nothing UApproveJP can fix, of course.)

What's the purpose and meaning of those boxes with a "U" character in
them, though, that's being displayed for all not-marked-as-required
attributes? Can this be disabled easily?

How about sorting isRequired=true attributes before optional ones in
the interface? Would that make it more clear, at the cost of not
sorting all attributes alphabetically?

Also note that for the SAML subject-id identifiers there's a
different signalling based on Entity Attributes, not
RequestedAttribute, that should probably also be taken into account.

(Other non-related idea, while I'm at it: How about not showing
attribute values by default, only the names, and adding a link "Show
values" to see the details? That would keep the initial interface
state cleaner. Some deployers may even prefer a config option to not
show the values at all, in which case the link "Show values" would
simply be hidden.)

Best regards,

More information about the users mailing list