When using an attribute to determine the storage key used to store consent records, if the attribute is not released the storage key will be incorrect, especially when using server-side storage.
Relevant properties in conf/idp.properties :
idp.consent.userStorageKey = shibboleth.consent.AttributeConsentStorageKey
idp.consent.userStorageKeyAttribute = <un-released attribute ID>
I guess the n.s.idp.consent.logic.AttributeValueLookupFunction could throw an unchecked exception if the attribute does not exist, but we don't want to block SSO, so maybe instead the AbstractConsentStorageAction should "validate" the storage key and return an appropriate Event.
Using the unfiltered attribute context will help, but not totally eliminate what I guess would be considered a "config issue".