Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-624

Missing support for ordering attributes on consent screen

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0, 3.1.0, 3.1.1, 3.1.2
    • Fix Version/s: 3.2.0
    • Labels:
      None
    • Environment:

      3.0.0 with LDAP and static connectors

      Description

      Hi,

      In our IdPV2 deployments with uApprove, we have been setting the attribute order by whitelisting all attribute in the desired order.

      We see this as critical for the user experience to group attributes together on the consent screen (e.g., commonName, displayName, givenName and surname are all together).

      In IdPV3, there is no way to set the attribute order. The attributes appear in a "random" order - that does not change with a reload of the screen but does change if the set of attributes changes.

      The rendering is done by a Velocity template (views/intercept/attribute-release.vm) that only iterates over the Map it receives.

      The Map is a LinkedHashMap that should be preserving order. I tried digging through the code to see where it comes from, but could not find it.

      I see one option for this as consistently using order-preserving Sets/Maps across the whole code, and then perhaps order could be determined by the order in which the attributes are listed in attribute-resolver.xml.

      Alternatively, this is what I did as a workaround:

      • Add a new property to conf/idp.properties listing all defined attributes in the preferred order:
        # If not set, attributes would be listed in undefined order (as provided by the IdP)
        # WARNING: attributes not listed here will be hidden from the consenting view 
        idp.consent.attributeOrder=commonName,displayName,auEduPersonLegalName,givenName,surname,email,\
        eduPersonPrincipalName,uid,auEduPersonSharedToken,eduPersonTargetedID,eduPersonEntitlement,\
        eduPersonAssurance,eduPersonAffiliation,eduPersonScopedAffiliation,eduPersonPrimaryAffiliation,\
        auEduPersonAffiliation,organizationName,homeOrganization,homeOrganizationType,organizationalUnit,\
        postalAddress,telephoneNumber,mobileNumber
        

        And then modifying attribute-release.vm to use this property as the preferred order:

        --- attribute-release.vm	2015-02-18 12:06:09.504157844 +1300
        +++ /opt/shibboleth-idp/edit-views/intercept/attribute-release.vm.attrlist	2015-02-25 16:16:49.576253157 +1300
        @@ -71,7 +71,16 @@
                                     </tr>
                                 </thead>
                                 <tbody>
        -                            #foreach ($attribute in $attributeReleaseContext.getConsentableAttributes().values())
        +                            #set ($attributeOrder = $environment.getProperty("idp.consent.attributeOrder") )
        +                            #set ($consentableAttributes = $attributeReleaseContext.getConsentableAttributes() )
        +			    #if ( $attributeOrder )
        +			        #set ($allAttributeKeys = $attributeOrder.split(",") )
        +		            #else
        +			        #set ($allAttributeKeys = $consentableAttributes.keySet())
        +			    #end
        +                            #foreach ($attributeKey in $allAttributeKeys)
        +                              #if ($consentableAttributes.get($attributeKey))
        +                                #set ($attribute = $consentableAttributes.get($attributeKey))
                                         <tr>
                                             <td>$encoder.encodeForHTML($attributeDisplayNameFunction.apply($attribute))</td>
                                             <td>
        @@ -90,6 +99,7 @@
                                             </td>
                                         </tr>
                                     #end
        +                          #end
                                 </tbody>
                             </table>
                         </div>
        
        
        

        The code filters out attributes specified in the property but not in the current context, but does not render attributes that were not listed in the property.

      I was trying to append the entries from consentableAttributes.keySet() that are not in the ordered list at the end, but my Velocity-fu is not good enough for that (totally new to Velocity and guessing on the syntax).

      Would this be worth adding for the next release - some option of setting the attribute order?

      Cheers,
      Vlad

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tzeller@shibboleth.net Tom Zeller
              Reporter:
              vme28@canterbury.ac.nz Vladimir Mencl
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days, 3 hours
                  2d 3h