Attribute consent and SP exclusions
Rene Paquin
rpaquin at wlu.ca
Fri Nov 6 14:09:53 UTC 2020
Thank you very much for the replies. I have it working now with your suggestions.
Rene
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Peter Schober
Sent: November 5, 2020 4:43 PM
To: users at shibboleth.net
Subject: Re: Attribute consent and SP exclusions
* Tom Zeller <tzeller at dragonacea.biz> [2020-11-05 19:28]:
> > My question, is there a way to exclude certain SP sites from having to consent to attribute release and seeing the terms of use page?
>
> I believe per-SP behavior should be configured in relying-party.xml as
> documented on "Profiles and Per-RelyingParty Behavior". See "Enabling
> Terms Of Use Intercept Flow" on the Consent wiki page as well.
In conf/relying-party.xml include the tou and consent flows as needed in your shibboleth.DefaultRelyingParty, e.g.
<bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
and then within
<util:list id="shibboleth.RelyingPartyOverrides">
remove the postAuthenticationFlows from the SAML2.SSO profile, so that only
<bean parent="SAML2.SSO">
remains for whatever selection of SPs you want, e.g. by entityID:
<bean parent="RelyingPartyByName" c:relyingPartyIds="#{{
'https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fexample.org%2fsaml&c=E,1,gO3Jj9YS4DML-GBGgObEUY35pCarMAwY9UD1uNlNe3iNW1Su7bItbDZsRAHJG7BDSU6tG6gedx5QXgi7iktPsHs0ArKS5IaIpSZN49kYd5QU&typo=1',
'https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsp.example.net&c=E,1,mC9UsgXd2FXGOFl4UnTa3dfcEhzsZG4nQ7hChSA1I--23000AqbTZEGKcQzXPG4xe0Ezg0qcoKFfiujnNxosrYDOc4PFRThXFP_7VGCr0tSv&typo=1' }}">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" />
<!-- include any other needed profiles here too, e.g. ECP,Logout -->
</list>
</property>
</bean>
or e.g. for all R&S SPs:
<bean parent="RelyingPartyByTag">
<constructor-arg name="candidates">
<list>
<bean parent="TagCandidate" c:name="https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmacedir.org%2fentity-category&c=E,1,89R9OnsIEqwBzS-Yq5ey-VsX4IyrOoNyTPUbe2lVLaTo17qwVsebNdlrOaTUwM1yV2jWe7ZB4PUc13keNIehs2RWm9-QAt5OgUpbENS1acr3b2vi_38U8Q,,&typo=1"
p:values="https://linkprotect.cudasvc.com/url?a=http%3a%2f%2frefeds.org%2fcategory%2fresearch-and-scholarship&c=E,1,59eCrup13jApYEUBtPLsgo5HG6SuZNRwgATI1GDyzuWqVfMYIGWthupz3VuLlUaGMRvSU8yLgZBczFtjfJ9UoHf3oeRzTgdFn2edh9F1tj__JgzDoJE48jIou0s,&typo=1" />
</list>
</constructor-arg>
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" />
<!-- include any other needed profiles here too, e.g. ECP,Logout -->
</list>
</property>
</bean>
HTH,
-peter
--
For Consortium Member technical support, see https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwiki.shibboleth.net%2fconfluence%2fx%2fcoFAAg&c=E,1,8BiZA6bTIROpl4Pne-CL-dj3KPr0-yXpJXue5GpsBSTRN8XIXPBUvwOzUxwXhQWLBqdj2JpXwqujX7UC6vvtrnJST-IOBZ00WuePYNljx_hdGEYZT6-Prq20VF2c&typo=1
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list