Hi,
Please find the following information on current implementation of consent
management in IS 5.5.0.
- Claims to populate in the consent page, will be retrieved from the
claim mapping configuration in SP (i.e. claims which is configured as
requested).
- If the claims configured in SP are mentioned as mandatory (i.e.
without those claims application cannot work), consent MUST be given by
user, to proceed.
- When user have provided the consent first time, consent receipt will
be generated for that application and for that user. Then after consent
page will be shown, if there are any more mandatory claims which user has
not provided the consent to share with the application.
- If there are no SP configurations, consider that as a federated
scenario and populate all the authenticated user attributes as mandatory
claims in the consent.
Following is the suggested approach for handling consent management when
the requested claims are send dynamically from the authentication request.
- *Requested/Mandatory claims are only configured in SP*
- Populate all the claims configured in SP, in the consent page.
- *Requested/Mandatory claims are not configured in SP and requested in
authentication request*
- From framework, set all the requested attributes to the authenticated
user (i.e. values as null for the attributes which are not available for
the user) and set the required property of the claims to true/false.
- In the consent service, validate the required property and populate
the consent page. Since mandatory is a property which we have
introduced in
IS, that won't be affected for the requested claims in authentication
request.
- All the requested claims in authentication request will be populated
in the consent page whether user have a attribute value or not.
- We assume that all the user attributes for which the user consent is
needed, will be send in the first authentication request. For later
requests, consent page will not be shown. This is because, consent page
will be populated only for mandatory claims, if a consent receipt is
available for the user.
- Filter out and remove the null user attribute values from framework
and send to the inbound component or can be handled null values
in inbound
component.
- Federated claims will also be treated same way as above.
- *Requested/Mandatory claims are configured in SP and requested in
authentication request*
- Populate all the claims configured in SP, in the consent page.
- Here we will be not considering about the requested claims in the
request when showing the consent page.
Appreciate your suggestions and comments on this.
Thanks and Regards
--
Indunil Upeksha Rathnayake
Software Engineer | WSO2 Inc
Email indu...@wso2.com
Mobile 0772182255
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
