diff --git a/modules/consentAdmin/config-templates/module_consentAdmin.php b/modules/consentAdmin/config-templates/module_consentAdmin.php
index d7ba69723750e39c1975a508c802f65f31ba52b6..627634ba13a9ae3c247b952c2bfb7e07829fe8d2 100644
--- a/modules/consentAdmin/config-templates/module_consentAdmin.php
+++ b/modules/consentAdmin/config-templates/module_consentAdmin.php
@@ -19,6 +19,9 @@ $config = array(
// Hash attributes including values or not
'attributes.hash' => true,
+ // If you set noconsentattributes in the consent module, this must match
+ // 'attributes.exclude' => array(),
+
// Where to direct the user after logout
// REMEMBER to prefix with http:// otherwise the relaystate is only appended
// to saml2 logout URL
diff --git a/modules/consentAdmin/docs/consentAdmin.md b/modules/consentAdmin/docs/consentAdmin.md
index 454cd5f47825899530c4128efd1e2a8f0c84c5c9..6a420353c3dd73b326516ee7bdca00e30b02a827 100644
--- a/modules/consentAdmin/docs/consentAdmin.md
+++ b/modules/consentAdmin/docs/consentAdmin.md
@@ -44,7 +44,9 @@ Setting optional parameters
In order to make the consentAdmin module work together with the consent
module correctly, you need to set the configuration 'attributes.hash'
according to the value of 'includeValues' configuration in the consent
-module.
+module. Likewise, if you've used the 'noconsentattributes' configuration
+option in the consent module, you should also set the 'attributes.exclude'
+configuration option here to match.
You should also set the 'returnURL' configuration in order to pass on your
users when the press the 'Logout' link.
diff --git a/modules/consentAdmin/www/consentAdmin.php b/modules/consentAdmin/www/consentAdmin.php
index ebc09fc30e49e7eac72ece346ec53bf6bbb27410..a7f760517a049043106f7bf3c6e78992965c1985 100644
--- a/modules/consentAdmin/www/consentAdmin.php
+++ b/modules/consentAdmin/www/consentAdmin.php
@@ -22,7 +22,8 @@ function driveProcessingChain(
$sp_entityid,
$attributes,
$userid,
- $hashAttributes = false
+ $hashAttributes = false,
+ $excludeAttributes = array()
) {
/*
@@ -48,6 +49,12 @@ function driveProcessingChain(
$pc->processStatePassive($authProcState);
$attributes = $authProcState['Attributes'];
+ // Remove attributes that do not require consent/should be excluded
+ foreach ($attributes as $attrkey => $attrval) {
+ if (in_array($attrkey, $excludeAttributes)) {
+ unset($attributes[$attrkey]);
+ }
+ }
/*
* Generate identifiers and hashes
@@ -80,6 +87,8 @@ if (array_key_exists('logout', $_REQUEST)) {
$hashAttributes = $cA_config->getValue('attributes.hash');
+$excludeAttributes = $cA_config->getValue('attributes.exclude', array());
+
// Check if valid local session exists
$as->requireAuth();
@@ -161,7 +170,7 @@ if ($action !== null && $sp_entityid !== null) {
// Run AuthProc filters
list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata,
- $sp_entityid, $attributes, $userid, $hashAttributes);
+ $sp_entityid, $attributes, $userid, $hashAttributes, $excludeAttributes);
// Add a consent (or update if attributes have changed and old consent for SP and IdP exists)
if ($action == 'true') {
@@ -217,7 +226,7 @@ foreach ($all_sp_metadata as $sp_entityid => $sp_values) {
// Run attribute filters
list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata,
- $sp_entityid, $attributes, $userid, $hashAttributes);
+ $sp_entityid, $attributes, $userid, $hashAttributes, $excludeAttributes);
// Check if consent exists
if (array_key_exists($targeted_id, $user_consent)) {