Missing support for ordering attributes on consent screen

Description

Hi,

In our IdPV2 deployments with uApprove, we have been setting the attribute order by whitelisting all attribute in the desired order.

We see this as critical for the user experience to group attributes together on the consent screen (e.g., commonName, displayName, givenName and surname are all together).

In IdPV3, there is no way to set the attribute order. The attributes appear in a "random" order - that does not change with a reload of the screen but does change if the set of attributes changes.

The rendering is done by a Velocity template (views/intercept/attribute-release.vm) that only iterates over the Map it receives.

The Map is a LinkedHashMap that should be preserving order. I tried digging through the code to see where it comes from, but could not find it.

I see one option for this as consistently using order-preserving Sets/Maps across the whole code, and then perhaps order could be determined by the order in which the attributes are listed in attribute-resolver.xml.

Alternatively, this is what I did as a workaround:

  • Add a new property to conf/idp.properties listing all defined attributes in the preferred order:

    # If not set, attributes would be listed in undefined order (as provided by the IdP) # WARNING: attributes not listed here will be hidden from the consenting view idp.consent.attributeOrder=commonName,displayName,auEduPersonLegalName,givenName,surname,email,\ eduPersonPrincipalName,uid,auEduPersonSharedToken,eduPersonTargetedID,eduPersonEntitlement,\ eduPersonAssurance,eduPersonAffiliation,eduPersonScopedAffiliation,eduPersonPrimaryAffiliation,\ auEduPersonAffiliation,organizationName,homeOrganization,homeOrganizationType,organizationalUnit,\ postalAddress,telephoneNumber,mobileNumber

    And then modifying attribute-release.vm to use this property as the preferred order:

    --- attribute-release.vm 2015-02-18 12:06:09.504157844 +1300 +++ /opt/shibboleth-idp/edit-views/intercept/attribute-release.vm.attrlist 2015-02-25 16:16:49.576253157 +1300 @@ -71,7 +71,16 @@ </tr> </thead> <tbody> - #foreach ($attribute in $attributeReleaseContext.getConsentableAttributes().values()) + #set ($attributeOrder = $environment.getProperty("idp.consent.attributeOrder") ) + #set ($consentableAttributes = $attributeReleaseContext.getConsentableAttributes() ) + #if ( $attributeOrder ) + #set ($allAttributeKeys = $attributeOrder.split(",") ) + #else + #set ($allAttributeKeys = $consentableAttributes.keySet()) + #end + #foreach ($attributeKey in $allAttributeKeys) + #if ($consentableAttributes.get($attributeKey)) + #set ($attribute = $consentableAttributes.get($attributeKey)) <tr> <td>$encoder.encodeForHTML($attributeDisplayNameFunction.apply($attribute))</td> <td> @@ -90,6 +99,7 @@ </td> </tr> #end + #end </tbody> </table> </div>

    The code filters out attributes specified in the property but not in the current context, but does not render attributes that were not listed in the property.

I was trying to append the entries from consentableAttributes.keySet() that are not in the ordered list at the end, but my Velocity-fu is not good enough for that (totally new to Velocity and guessing on the syntax).

Would this be worth adding for the next release - some option of setting the attribute order?

Cheers,
Vlad

Environment

3.0.0 with LDAP and static connectors

Activity

Tom Zeller 
October 13, 2015 at 7:45 PM

Moved attribute ID comparator to system/ from conf/ in r7812.

http://svn.shibboleth.net/view/java-identity-provider?view=revision&revision=7812

Tom Zeller 
September 9, 2015 at 3:31 AM

Oh ! When I typed system/ I was thinking system/conf/profile-intercept-system.xml. But, yeah, I think you're right. I guess I was thinking that profile-intercept-system.xm was the system-space counterpart to user-space conf/consent-intercept-config.xml.

Scott Cantor 
September 9, 2015 at 1:36 AM

I'm probably missing an obvious reason this won't work, but...

The list its injecting is inside conf/intercept/consent-intercept-config.xml, which is included by the flow beans file where this comparator bean is being used.

Can't we just move DefaultAttributeIDComparator into system/flows/intercept/attribute-release-beans.xml outright? Is there a backward compatibility issue I'm overlooking?

I would also get rid of the alias, and just set p:attributeIdComparator in PopulateAttributeConsentContext to a conditional expression:

p:attributeIdComparator="#{ getObject('shibboleth.consent.attribute-release.AttributeIDComparator') != null ? getObject('shibboleth.consent.attribute-release.AttributeIDComparator') : getObject('DefaultAttributeIDComparator') }"

Tom Zeller 
July 1, 2015 at 1:57 AM
(edited)

Reopening due to last-minute change to the 3.1 branch.

Two issues :

  • r7608 was an incomplete merge of r7449

  • Both revisions introduce a non-API class into user-space config files.

The non-API bean definition :

<bean id="shibboleth.consent.attribute-release.DefaultAttributeIDComparator" class="net.shibboleth.idp.consent.logic.PreferExplicitOrderComparator" c:order-ref="shibboleth.consent.attribute-release.WhitelistedAttributeIDs" />

needs to be injected with a list defined in user-space, so moving the bean definition to system/ will not work. Need to figure out a way when more time is at hand.

Tom Zeller 
June 30, 2015 at 4:21 PM

Just noting that I didn't think about locale-sensitive sorting of attribute IDs.

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created February 25, 2015 at 3:30 AM
Updated June 22, 2021 at 6:44 PM
Resolved October 13, 2015 at 7:45 PM