Versions Compared

Old Version 34

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Files: conf/idp.properties, conf/intercept/consent-intercept-config.xml, messages/message.properties, views/intercept/attribute-release.vm, views/intercept/terms-of-use.vm
Format: Native Spring

Table of Contents
maxLevel2

...

Expand
titleAttribute Display

Localization

The names and values of attributes displayed during consent may be customized. By default, the locale-aware attribute display name and display value are displayed. Customizing the localization information is generally handled through the rules defined in the AttributeRegistryConfiguration.

Selective Display

By default, users are prompted to consent to release all attributes unless specifically suppressed on a per-attribute basis. Suppressed attributes are released to relying parties but are not displayed to users.  A prompted list, ignored list, and match expressions determine whether consent should be obtained for an attribute based on the attribute ID.

To prevent an attribute from being displayed, add the attribute ID to the ignored list or exclude it by a match expression. The ignored list and match expression override the prompted list.

Type

Description

Bean name conf/intercept/consent-intercept-config.xml

Prompted

Attribute IDs for which users should be prompted to consent

shibboleth.consent.attribute-release.PromptedAttributeIDs 4.1

shibboleth.consent.attribute-release.WhitelistedAttributeIDs (DEPRECATED)

Ignored

Attribute IDs for which users should not be prompted to consent

shibboleth.consent.attribute-release.IgnoredAttributeIDs 4.1

shibboleth.consent.attribute-release.BlacklistedAttributeIDs (DEPRECATED)

Regex

Attribute IDs matching a regular expression that users should be prompted to consent

shibboleth.consent.attribute-release.MatchExpression
                                                                                                                 

Order

Attributes are, by default, displayed in the natural order of their IDs. Deployers may wish to customize the order in which attributes are displayed to users, in order to present the most relevant or personal attributes first.

The order in which attributes are displayed to users may be customized by providing a list of attribute IDs. Attributes not in the list will still be sorted in their natural order, but subsequent to attributes in the list. Define the bean named shibboleth.consent.attribute-release.AttributeDisplayOrder in conf/intercept/consent-intercept-config.xml representing the desired order. The values of the list are attribute IDs. 

The following example displays the mail attribute first and then all other attributes in alphabetic order by ID:

Code Block
<bean id="shibboleth.consent.attribute-release.CustomAttributeIDComparator" class="org.example.CustomAttributeIDComparator" />

For advanced customization of the attribute display order, a custom Comparator may be provided. Define a bean named shibboleth.consent.attribute-release.AttributeIDComparator in conf/intercept/consent-intercept-config.xml which implements Comparator<String>. For example:

Code Block
<bean id="shibboleth.consent.attribute-release.CustomAttributeIDComparator" class="org.example.CustomAttributeIDComparator" />

...

Expand
titleProperties

Relevant properties defined in conf/idp.properties :

Property / Type

Default

Function

idp.consent.StorageService                                                    StorageService

Bean ID

shibboleth.ClientPersistentStorageService

Name of storage service used to store users' consent choices

idp.consent.userStorageKey

Bean ID

shibboleth.consent.PrincipalConsentStorageKey

DEPRECATED

Name of function used to return the String storage key representing a user, defaults to the principal name

idp.consent.attribute-release.userStorageKey

Bean ID

shibboleth.consent.PrincipalConsentStorageKey

Replacement for "idp.consent.userStorageKey" specific to attribute-release flow

idp.consent.terms-of-use.userStorageKey

Bean ID

shibboleth.consent.PrincipalConsentStorageKey

Replacement for "idp.consent.userStorageKey" specific to terms-of-use flow

idp.consent.userStorageKeyAttribute

String

uid

DEPRECATED

Attribute whose value is the storage key representing a user, only used when idp.consent.userStorageKey = shibboleth.consent.AttributeConsentStorageKey

idp.consent.attribute-release.userStorageKeyAttribute

String

uid

Replacement for "idp.consent.userStorageKeyAttribute" specific to attribute-release flow

idp.consent.terms-of-use.userStorageKeyAttribute

String

uid

Replacement for "idp.consent.userStorageKeyAttribute" specific to terms-of-use flow

idp.consent.attribute-release.activationCondition 4.1

Bean ID

shibboleth.Conditions.TRUE

Optional condition to apply to control activation of attribute-release flow along with system default behavior

idp.consent.terms-of-use.activationCondition 4.1

Bean ID

shibboleth.Conditions.TRUE

Optional condition to apply to control activation of terms-of-use flow

idp.consent.allowDoNotRemember

Boolean

true

Whether not remembering/storing consent is allowed

idp.consent.allowGlobal

Boolean

true

Whether consent to any attribute and to any relying party is allowed

idp.consent.allowPerAttribute

Boolean

false

Whether per-attribute consent is allowed

idp.consent.compareValues

Boolean

false

Whether attribute values and terms of use text are stored and compared for equality

idp.consent.maxStoredRecords

Integer

10

Maximum number of records stored when using space-limited storage (e.g. cookies), 0 = no limit

idp.consent.expandedMaxStoredRecords

Integer

0

Maximum number of records stored when using larger/server-side storage, 0 = no limit

idp.consent.storageRecordLifetime

Duration

 P1Y4.0 Infinite4.1+

Time in milliseconds to expire consent storage records

...