Attribute consent and SP exclusions

Rene Paquin rpaquin at wlu.ca
Fri Nov 6 14:09:53 UTC 2020


Thank you very much for the replies.  I have it working now with your suggestions.

Rene

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Peter Schober
Sent: November 5, 2020 4:43 PM
To: users at shibboleth.net
Subject: Re: Attribute consent and SP exclusions

* Tom Zeller <tzeller at dragonacea.biz> [2020-11-05 19:28]:
> > My question, is there a way to exclude certain SP sites from having to consent to attribute release and seeing the terms of use page?
> 
> I believe per-SP behavior should be configured in relying-party.xml as 
> documented on "Profiles and Per-RelyingParty Behavior". See "Enabling 
> Terms Of Use Intercept Flow" on the Consent wiki page as well.

In conf/relying-party.xml include the tou and consent flows as needed in your shibboleth.DefaultRelyingParty, e.g.

<bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />

and then within

  <util:list id="shibboleth.RelyingPartyOverrides">

remove the postAuthenticationFlows from the SAML2.SSO profile, so that only

  <bean parent="SAML2.SSO">

remains for whatever selection of SPs you want, e.g. by entityID:

  <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{
    'https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fexample.org%2fsaml&c=E,1,gO3Jj9YS4DML-GBGgObEUY35pCarMAwY9UD1uNlNe3iNW1Su7bItbDZsRAHJG7BDSU6tG6gedx5QXgi7iktPsHs0ArKS5IaIpSZN49kYd5QU&typo=1',
    'https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsp.example.net&c=E,1,mC9UsgXd2FXGOFl4UnTa3dfcEhzsZG4nQ7hChSA1I--23000AqbTZEGKcQzXPG4xe0Ezg0qcoKFfiujnNxosrYDOc4PFRThXFP_7VGCr0tSv&typo=1' }}">
    <property name="profileConfigurations">
      <list>
      	<bean parent="SAML2.SSO" />
        <!-- include any other needed profiles here too, e.g. ECP,Logout -->
      </list>
    </property>
  </bean>

or e.g. for all R&S SPs:

  <bean parent="RelyingPartyByTag">
    <constructor-arg name="candidates">
      <list>
        <bean parent="TagCandidate" c:name="https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmacedir.org%2fentity-category&c=E,1,89R9OnsIEqwBzS-Yq5ey-VsX4IyrOoNyTPUbe2lVLaTo17qwVsebNdlrOaTUwM1yV2jWe7ZB4PUc13keNIehs2RWm9-QAt5OgUpbENS1acr3b2vi_38U8Q,,&typo=1"
           p:values="https://linkprotect.cudasvc.com/url?a=http%3a%2f%2frefeds.org%2fcategory%2fresearch-and-scholarship&c=E,1,59eCrup13jApYEUBtPLsgo5HG6SuZNRwgATI1GDyzuWqVfMYIGWthupz3VuLlUaGMRvSU8yLgZBczFtjfJ9UoHf3oeRzTgdFn2edh9F1tj__JgzDoJE48jIou0s,&typo=1" />
      </list>
    </constructor-arg>
    <property name="profileConfigurations">
      <list>
      	<bean parent="SAML2.SSO" />
        <!-- include any other needed profiles here too, e.g. ECP,Logout -->
      </list>
    </property>
  </bean>

HTH,
-peter
--
For Consortium Member technical support, see https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwiki.shibboleth.net%2fconfluence%2fx%2fcoFAAg&c=E,1,8BiZA6bTIROpl4Pne-CL-dj3KPr0-yXpJXue5GpsBSTRN8XIXPBUvwOzUxwXhQWLBqdj2JpXwqujX7UC6vvtrnJST-IOBZ00WuePYNljx_hdGEYZT6-Prq20VF2c&typo=1
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list