Attribute consent display logic is still confusing

Basics

Logistics

Basics

Logistics

Description

Attributes to be hidden must be defined in the blacklist AND whitelist.

"Attribute consent display logic is still confusing"
http://marc.info/?l=shibboleth-users&m=144853365432706&w=2

Environment

None

Linked work items

is related to

IDP-624

Missing support for ordering attributes on consent screen

Activity

Tom Zeller December 19, 2015 at 6:59 AM

r8054

Applied fix to trunk.

Tom Zeller December 19, 2015 at 6:53 AM

r8053

Added new list to customize the attribute display order to 3.2 branch.

Tom Zeller December 1, 2015 at 9:48 PM

Reintroducing the order list is a minor version bump, I believe, because the configuration would not be identical. I guess we could provide a commented-out order list to stay within patch version compatibility if so desired.

Tom Zeller December 1, 2015 at 8:38 PM

Perhaps my mistake was conflating the whitelist and the order list. Reintroducing the order list may be the right thing.

Tom Zeller December 1, 2015 at 7:25 PM

Noting some history : the commit of the whitelist / blacklist / match expression was r6657

As noted on the users list referenced above, uApprove supplied two configuration knobs in uApprove.properties, ar.attributes.order and ar.attributes.blacklist :

#---------------------------------------------------------------------#
# Attribute Processing                                                #
#---------------------------------------------------------------------#

# Defines the ordering of the attributes.
ar.attributes.order         = uid \
                              surname \
                              givenName \
                              eduPersonPrincipalName \
                              eduPersonAffiliation \
                              eduPersonEntitlement

# Defines a list of blacklisted attributes.              
ar.attributes.blacklist     = transientId \
                              persistentId \
                              eduPersonTargetedID

While migrating, I thought that a whitelist was the natural counterpart to a blacklist, and together those would be general enough for user-space configuration. I assumed we had a whitelist / blacklist predicate somewhere, and we did. ValidateRemoteUser also came with a match expression. The whitelist / blacklist / match expression control the "consentable" attributes - the attributes which are displayed to the user for consent.

I also thought that the display of attributes to the user was at the presentation layer, and deployers would do whatever they want via Velocity templates, so attributes were originally displayed unordered (https://shibboleth.atlassian.net/browse/IDP-624#icft=IDP-624).

Re-using the v3 whitelist (the v2 "order" list) made sense to control the order in which attributes were displayed.

Resize issue view side panel

Fixed

Details

Assignee

Tom Zeller

Reporter

Tom Zeller

Created November 30, 2015 at 6:06 PM

Updated April 4, 2016 at 3:28 PM

Resolved December 19, 2015 at 6:59 AM