diff --git a/modules/consent/docs/consent.md b/modules/consent/docs/consent.md
index 80d12b1c4562982afee1f313d76e7976ade39a92..33e15a38e1dc58b272394c7f7b53ed7cb70bc6d1 100644
--- a/modules/consent/docs/consent.md
+++ b/modules/consent/docs/consent.md
@@ -160,9 +160,15 @@ The following options can be used when configuring the Consent module:
     the attributes that should have their value hidden. Default behaviour is that 
     all attribute values are shown.
 
+`attributes.exclude`
+:   Allows certain attributes to be excluded from the attribute hash when
+    `includeValues` is `true` (and as a side effect, to be hidden from display
+    as `hiddenAttributes` does). Set to an array of the attributes that should
+    be excluded. Default behaviour is to include all values in the hash.
+
 `showNoConsentAboutService`
 :   Whether we will show a link to more information about the service from the
-    no consent page. Defaults to `TRUE`.
+    no consent page. Defaults to `true`.
 
 External options
 ----------------
diff --git a/modules/consent/lib/Auth/Process/Consent.php b/modules/consent/lib/Auth/Process/Consent.php
index 0647ac84f194f457b48e5d83139f23cd30067ddf..8ae51c1009c7235ba7f5f749a3273f27402b6f13 100644
--- a/modules/consent/lib/Auth/Process/Consent.php
+++ b/modules/consent/lib/Auth/Process/Consent.php
@@ -116,7 +116,16 @@ class sspmod_consent_Auth_Process_Consent extends SimpleSAML_Auth_ProcessingFilt
             $this->_hiddenAttributes = $config['hiddenAttributes'];
         }
 
-        if (array_key_exists('noconsentattributes', $config)) {
+        if (array_key_exists('attributes.exclude', $config)) {
+            if (!is_array($config['attributes.exclude'])) {
+                throw new SimpleSAML_Error_Exception(
+                    'Consent: attributes.exclude must be an array. '.
+                    var_export($config['attributes.exclude'], true).' given.'
+                );
+            }
+            $this->_noconsentattributes = $config['attributes.exclude'];
+        } elseif (array_key_exists('noconsentattributes', $config)) {
+            SimpleSAML\Logger::warning("The 'noconsentattributes' option has been deprecated in favour of 'attributes.exclude'.");
             if (!is_array($config['noconsentattributes'])) {
                 throw new SimpleSAML_Error_Exception(
                     'Consent: noconsentattributes must be an array. '.
diff --git a/modules/consentAdmin/config-templates/module_consentAdmin.php b/modules/consentAdmin/config-templates/module_consentAdmin.php
index 418065c14ec2ddb421cc9809a0ce39a8156693da..02fdf8d42009d69a9128b9e068353b7e02715e8d 100644
--- a/modules/consentAdmin/config-templates/module_consentAdmin.php
+++ b/modules/consentAdmin/config-templates/module_consentAdmin.php
@@ -6,23 +6,26 @@
  * @package SimpleSAMLphp
  */
 $config = array(
-	/*
-	 * Configuration for the database connection.
-	 */
-	'consentadmin'  => array(
-		'consent:Database',
-		'dsn'		=>	'mysql:host=DBHOST;dbname=DBNAME',
-		'username'	=>	'USERNAME', 
-		'password'	=>	'PASSWORD',
-	),
-	
-	// Hash attributes including values or not
-	'attributes.hash' => TRUE,
+    /*
+     * Configuration for the database connection.
+     */
+    'consentadmin'  => array(
+        'consent:Database',
+        'dsn'       =>  'mysql:host=DBHOST;dbname=DBNAME',
+        'username'  =>  'USERNAME',
+        'password'  =>  'PASSWORD',
+    ),
 
-	// Where to direct the user after logout
-    // REMEMBER to prefix with http:// otherwise the relaystate is only appended 
+    // Hash attributes including values or not
+    'attributes.hash' => true,
+
+    // If you set attributes.exclude in the consent module, this must match
+    // 'attributes.exclude' => array(),
+
+    // Where to direct the user after logout
+    // REMEMBER to prefix with http:// otherwise the relaystate is only appended
     // to saml2 logout URL
-	'returnURL' => 'http://www.wayf.dk',
+    'returnURL' => 'http://www.wayf.dk',
 
     // Shows description of the services if set to true (defaults to true)
     'showDescription' => true,
diff --git a/modules/consentAdmin/docs/consentAdmin.md b/modules/consentAdmin/docs/consentAdmin.md
index 454cd5f47825899530c4128efd1e2a8f0c84c5c9..1dc342e7f917930674a92ef66908e95cd0fafa99 100644
--- a/modules/consentAdmin/docs/consentAdmin.md
+++ b/modules/consentAdmin/docs/consentAdmin.md
@@ -44,7 +44,9 @@ Setting optional parameters
 In order to make the consentAdmin module work together with the consent
 module correctly, you need to set the configuration 'attributes.hash'
 according to the value of 'includeValues' configuration in the consent
-module.
+module. Likewise, if you've used the 'attributes.exclude' configuration
+option in the consent module, you should also set the 'attributes.exclude'
+configuration option here to match.
 
 You should also set the 'returnURL' configuration in order to pass on your
 users when the press the 'Logout' link.
diff --git a/modules/consentAdmin/www/consentAdmin.php b/modules/consentAdmin/www/consentAdmin.php
index 8d5327cea0bfbbc5188d451b976fb4c6f253b0b8..c1e35b482db80ffbaf9a49fea67e42bc733943c4 100644
--- a/modules/consentAdmin/www/consentAdmin.php
+++ b/modules/consentAdmin/www/consentAdmin.php
@@ -22,7 +22,8 @@ function driveProcessingChain(
     $sp_entityid,
     $attributes,
     $userid,
-    $hashAttributes = false
+    $hashAttributes = false,
+    $excludeAttributes = array()
 ) {
 
     /*
@@ -54,6 +55,12 @@ function driveProcessingChain(
     $pc->processStatePassive($authProcState);
 
     $attributes = $authProcState['Attributes'];
+    // Remove attributes that do not require consent/should be excluded
+    foreach ($attributes as $attrkey => $attrval) {
+        if (in_array($attrkey, $excludeAttributes)) {
+            unset($attributes[$attrkey]);
+        }
+    }
 
     /*
      * Generate identifiers and hashes
@@ -86,6 +93,8 @@ if (array_key_exists('logout', $_REQUEST)) {
 
 $hashAttributes = $cA_config->getValue('attributes.hash');
 
+$excludeAttributes = $cA_config->getValue('attributes.exclude', array());
+
 // Check if valid local session exists
 $as->requireAuth();
 
@@ -163,7 +172,7 @@ if ($action !== null && $sp_entityid !== null) {
 
     // Run AuthProc filters
     list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata,
-        $sp_entityid, $attributes, $userid, $hashAttributes);
+        $sp_entityid, $attributes, $userid, $hashAttributes, $excludeAttributes);
 
     // Add a consent (or update if attributes have changed and old consent for SP and IdP exists)
     if ($action == 'true') {
@@ -219,7 +228,7 @@ foreach ($all_sp_metadata as $sp_entityid => $sp_values) {
 
     // Run attribute filters
     list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata,
-        $sp_entityid, $attributes, $userid, $hashAttributes);
+        $sp_entityid, $attributes, $userid, $hashAttributes, $excludeAttributes);
 
     // Check if consent exists
     if (array_key_exists($targeted_id, $user_consent)) {
diff --git a/tests/modules/consent/lib/Auth/Process/ConsentTest.php b/tests/modules/consent/lib/Auth/Process/ConsentTest.php
index 97534dc4382390cd61d45bb072f579eacc64b9c5..c0c03cae577c24a380fe55b6cb5c7bb311dba1c3 100644
--- a/tests/modules/consent/lib/Auth/Process/ConsentTest.php
+++ b/tests/modules/consent/lib/Auth/Process/ConsentTest.php
@@ -179,4 +179,39 @@ class ConsentTest extends TestCase
             "Hash is not the same when the order of the attributs changes and the values are not included"
         );
     }
+
+    public function testConstructorSetsInstancePrivateVars()
+    {
+        $reflection = new \ReflectionClass('\sspmod_consent_Auth_Process_Consent');
+
+        foreach (array(
+            '_includeValues', '_checked', '_focus', '_hiddenAttributes', '_noconsentattributes', '_showNoConsentAboutService'
+        ) as $v) {
+            $instanceVars[$v] = $reflection->getProperty($v);
+            $instanceVars[$v]->setAccessible(true);
+        }
+
+        /* these just need to be different to the default values */
+        $config = array(
+            'includeValues' => true,
+            'checked' => true,
+            'focus' => 'yes',
+            'hiddenAttributes' => array('attribute1', 'attribute2'),
+            'attributes.exclude' => array('attribute1', 'attribute2'),
+            'showNoConsentAboutService' => false,
+        );
+
+        $testcase = $reflection->newInstance($config, null);
+
+        $this->assertEquals($instanceVars['_includeValues']->getValue($testcase), $config['includeValues']);
+        $this->assertEquals($instanceVars['_checked']->getValue($testcase), $config['checked']);
+        $this->assertEquals($instanceVars['_focus']->getValue($testcase), $config['focus']);
+        $this->assertEquals($instanceVars['_hiddenAttributes']->getValue($testcase), $config['hiddenAttributes']);
+        $this->assertEquals($instanceVars['_noconsentattributes']->getValue($testcase), $config['attributes.exclude']);
+        $this->assertEquals($instanceVars['_showNoConsentAboutService']->getValue($testcase), $config['showNoConsentAboutService']);
+
+        $deprecated = $reflection->newInstance(array('noconsentattributes' => $config['attributes.exclude'],), null);
+        $this->assertEquals($instanceVars['_noconsentattributes']->getValue($deprecated), $config['attributes.exclude']);
+
+    }
 }