Attribute consent and SP exclusions
Rene Paquin
rpaquin at wlu.ca
Thu Nov 5 18:13:59 UTC 2020
Hi all,
I am very new to managing and working with Shibboleth IDP. We are currently moving our production systems from V3 to V4.01. We are looking into enabling attribute consent with terms of use and for the most part we have it working on our development system. My question, is there a way to exclude certain SP sites from having to consent to attribute release and seeing the terms of use page?
I have the following in the profile-intercept.xml file however that is not working as when I login via samltest I still see the attribute consent form as well as the subsequent terms of use page. Am I in the right ballpark here? Is there something I am missing? Any help is appreciated.
Thank you,
Rene
<bean id="MyCondition" parent="shibboleth.Conditions.AND">
<constructor-arg>
<list>
<!-- The default condition from system/conf/profile-intercept-system.xml -->
<bean parent="shibboleth.Conditions.OR">
<constructor-arg>
<bean parent="shibboleth.Conditions.NOT">
<constructor-arg value="%{idp.consent.allowPerAttribute:false}" />
</bean>
</constructor-arg>
<constructor-arg>
<bean class="net.shibboleth.idp.saml.profile.config.logic.IncludeAttributeStatementPredicate" />
</constructor-arg>
</bean>
<!-- A custom condition -->
<bean id="MyCondition" parent="shibboleth.Conditions.NOT">
<constructor-arg>
<bean id="MyCondition" parent="shibboleth.Conditions.RelyingPartyId">
<constructor-arg name="candidates">
<list>
<value>"https://samltest.id/saml/sp</value>
<value>https://another.example.com/shibboleth</value>
</list>
</constructor-arg>
</bean>
</constructor-arg>
</bean>
</list>
</constructor-arg>
</bean>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201105/2c1e0fa2/attachment.htm>
More information about the users
mailing list