Terminate session if user does not accept terms&conditions

Cantor, Scott cantor.2 at osu.edu
Thu Jun 10 00:03:17 UTC 2021

On 6/9/21, 7:23 PM, "users on behalf of Oluf Færø" <users-bounces at shibboleth.net on behalf of ofa at klintra.fo> wrote:

>    Is it possible to configure Shibboleth to only establish the user session after the terms-of-use are approved by
> the user ?

Authentication is entirely an IdP side issue and the session just tracks that state. It won't respond unless you make it do that by bypassing the terms somehow, so it's doing what it's meant to do. The terms aren't for whether to login or not, but whether to issue the assertion.

IIRC there is a supported signal/event to restart authentication from an interceptor flow but I don't recall exactly how it interacts with this feature and it wasn't intended to work like that. Restarting authentication is reserved for cases where the authentication was invalid and the terms flow wasn't really about that.

I suspect to make it do that would require tricking it into mapping the normal event it signaled into the event that's reserved for restarting the authentication. But that's what it does, it goes back through the login prompt again, it doesn't abort the request.

Basicallly....why? What is the actual problem with the behavior now?

-- Scott

More information about the users mailing list