Skip to content
Snippets Groups Projects
Commit 8d1c3d6c authored by Olav Morken's avatar Olav Morken
Browse files

consent: Allow disabling of consent from SP metadata.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3044 44740490-163a-0410-bde0-09ae8108e29a
parent a1b78cf8
No related branches found
No related tags found
No related merge requests found
......@@ -187,26 +187,49 @@ The following options can/ be set in other places in simpleSAMLphp
Disabling consent
-----------------
It is possible to disable consent for a given service. You can add an option
in the metadata on the IdP, that will disable consent for the given service.
Add 'consent.disable' array option and enter the entityids of the services,
that you do not want consent for.
Consent can be disabled either in the IdP metadata or in the SP metadata.
To disable consent for one or more SPs for a given IdP, add the
`consent.disable`-option to the IdP metadata. To disable consent for one or
more IdPs for a given SP, add the `consent.disable`-option to the SP metadata.
Example:
### Examples ###
Disable consent for a given IdP:
$metadata['https://idp.example.org/'] = array(
[...],
'consent.disable' => TRUE,
);
Disable consent for some SPs connected to a given IdP:
'consent.disable' => array(
'sp.example.com',
'sp2.example.com',
...
$metadata['https://idp.example.org/'] = array(
[...],
'consent.disable' => array(
'https://sp1.example.org/',
'https://sp2.example.org/',
),
);
Disable consent for a given SP:
$metadata['https://sp.example.org'] = array(
[...]
'consent.disable' => TRUE,
),
It is also possible to disable consent for all SPs for a given IdP by setting
the 'consent.disable' option to TRUE:
Disable consent for some IdPs for a given SP:
'consent.disable' => TRUE,
$metadata['https://sp.example.org'] = array(
[...]
'consent.disable' => array(
'https://idp1.example.org/',
'https://idp2.example.org/',
),
),
Attribute presentation
----------------------
......
......@@ -181,9 +181,13 @@ class sspmod_consent_Auth_Process_Consent extends SimpleSAML_Auth_ProcessingFilt
$state['Source'] = $idpmeta;
}
// Do not use consent if disabled on source entity
// Do not use consent if disabled
if (isset($state['Source']['consent.disable']) && self::checkDisable($state['Source']['consent.disable'], $spEntityId)) {
SimpleSAML_Logger::debug('Consent: Consent disabled for entity ' . $spEntityId);
SimpleSAML_Logger::debug('Consent: Consent disabled for entity ' . $spEntityId . ' with IdP ' . $idpEntityId);
return;
}
if (isset($state['Destination']['consent.disable']) && self::checkDisable($state['Destination']['consent.disable'], $idpEntityId)) {
SimpleSAML_Logger::debug('Consent: Consent disabled for entity ' . $spEntityId . ' with IdP ' . $idpEntityId);
return;
}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment