uApprove - User Consent Module for Shibboleth Identity Providers

uApprove screenshot
uApprove is an extension for the Shibboleth Identity Provider (IdP) to enforce acceptance of terms of use and user attribute release consent. It serves the following purposes:
  1. The user is informed about the release of his data (attributes) to a Service Provider (SP) when he accesses the SP for the first time or if his data changed.
  2. The administrator of an Identity Provider (IdP)
    1. can ask the user to accept an IdP's terms of use before accessing any services
    2. gets a tool that implements data protection laws by enforcing user consent before personal user attributes are released to an SP
    3. knows when a particular user gave consent to release which attribute and value to a particular SP
From the user's point of view, uApprove is an application which presents him a webpage, on which
  • he may have to accept or decline the Terms of Use of an Shibboleth Identity Provider upon first access to the system (this option can be disabled by configuration)
  • he can globally accept the release of all his/her attributes to any Service Provider
  • he has to accept the release of his/her attributes upon first access to a given Service Provider (if the global release has not been approved)

Demo

There is a demonstration site, where you can see uApprove in action.

On the page "Select your Home Organisation", choose the entry "AAI Demo Home Organisation" and click on the Select button. Then, you are redirected to the login screen where you can log in using the following credentials:
Username(s): demo[1..50]
Password:    demo

Download

Please consult the README file for license, issue tracking, source access information.
Comments & questions to aai@switch.ch.

Related Work

Some deployers might also be interested in uApproveJP (Jet Pack), a fork by our colleagues from the Japanese GakuNin AAI federation. The main difference of uApproveJP to uApprove is that the former gives users the choice to select which optional attributes are released about them.

Another (newer) fork is PrivacyLens, which introduces a completely new user interface and similarily like uApproveJP gives the user more control what information is sent to a service.

Both of the above forks, like uApprove itself, are plug-ins for the Shibboleth Identity Provider v2.x. Version 3 of Shibboleth will come with built-in user consent. Therefore, it is likely that uApprove or similar plug-ins won't be needed anymore.