uApprove - User Consent Module for Shibboleth Identity Providers v2.x

uApprove screenshot
uApprove is an extension for the Shibboleth Identity Provider v2.x (IdP) to enforce acceptance of terms of use and user attribute release consent. It serves the following purposes:
  1. The user is informed about the release of his data (attributes) to a Service Provider (SP) when he accesses the SP for the first time or if his data changed.
  2. The administrator of an Identity Provider (IdP)
    1. can ask the user to accept an IdP's terms of use before accessing any services
    2. gets a tool that implements data protection laws by enforcing user consent before personal user attributes are released to an SP
    3. knows when a particular user gave consent to release which attribute and value to a particular SP
From the user's point of view, uApprove is an application which presents him a webpage, on which
  • he may have to accept or decline the Terms of Use of an Shibboleth Identity Provider upon first access to the system (this option can be disabled by configuration)
  • he can globally accept the release of all his/her attributes to any Service Provider
  • he has to accept the release of his/her attributes upon first access to a given Service Provider (if the global release has not been approved)
Note: Shibboleth IdPv3 comes with built-in user consent that obsoletes uApprove!


There is a demonstration site, where you can see uApprove in action.

On the page "Select your Home Organisation", choose the entry "AAI Demo Home Organisation" and click on the Select button. Then, you are redirected to the login screen where you can log in using the following credentials:
Username(s): demo[1..50]
Password:    demo


Please consult the README file for license, issue tracking, source access information.
Comments & questions to

Related Work

Some deployers might also be interested in uApproveJP (Jet Pack), a fork by our colleagues from the Japanese GakuNin AAI federation. The main difference of uApproveJP to uApprove is that the former gives users the choice to select which optional attributes are released about them.

Another (newer) fork is PrivacyLens, which introduces a completely new user interface and similarily like uApproveJP gives the user more control what information is sent to a service.

Both of the above forks, like uApprove itself, are plug-ins for the Shibboleth Identity Provider v2.x. Shibboleth IdPv3 comes with built-in user consent that obsoletes uApprove.