Attribute consent and SP exclusions
Peter Schober
peter.schober at univie.ac.at
Thu Nov 5 21:43:22 UTC 2020
* Tom Zeller <tzeller at dragonacea.biz> [2020-11-05 19:28]:
> > My question, is there a way to exclude certain SP sites from having to consent to attribute release and seeing the terms of use page?
>
> I believe per-SP behavior should be configured in relying-party.xml as
> documented on "Profiles and Per-RelyingParty Behavior". See "Enabling
> Terms Of Use Intercept Flow" on the Consent wiki page as well.
In conf/relying-party.xml include the tou and consent flows as needed
in your shibboleth.DefaultRelyingParty, e.g.
<bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
and then within
<util:list id="shibboleth.RelyingPartyOverrides">
remove the postAuthenticationFlows from the SAML2.SSO profile, so that only
<bean parent="SAML2.SSO">
remains for whatever selection of SPs you want, e.g. by entityID:
<bean parent="RelyingPartyByName" c:relyingPartyIds="#{{
'https://example.org/saml',
'https://sp.example.net' }}">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" />
<!-- include any other needed profiles here too, e.g. ECP,Logout -->
</list>
</property>
</bean>
or e.g. for all R&S SPs:
<bean parent="RelyingPartyByTag">
<constructor-arg name="candidates">
<list>
<bean parent="TagCandidate" c:name="http://macedir.org/entity-category"
p:values="http://refeds.org/category/research-and-scholarship" />
</list>
</constructor-arg>
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" />
<!-- include any other needed profiles here too, e.g. ECP,Logout -->
</list>
</property>
</bean>
HTH,
-peter
More information about the users
mailing list