Beispiel für eine EU-DSGVO-konforme Konfiguration des User Consent Moduls - Profile Intercept Konfiguration

Zurück zur Hauptseite

./conf/intercept/profile-intercept.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
 
       default-init-method="initialize"
       default-destroy-method="destroy">
 
    <!--
    Intercept flows are used at various injection points to modify processing. This is the master list
    of flows available that provide interesting features to deployers, but flows are actually enabled by
    specifying them in various profile configuration beans via relying-party.xml
 
    This list of flows is merged with a built-in set defined in a system configuration file, and may be
    empty, but should not be removed. You must add your own custom flows to this list if you create any.
    -->
 
    <bean id="shibboleth.AvailableInterceptFlows" parent="shibboleth.DefaultInterceptFlows" lazy-init="true">
        <property name="sourceList">
            <list merge="true">
                <bean id="intercept/context-check" parent="shibboleth.InterceptFlow" />
 
                <bean id="intercept/expiring-password" parent="shibboleth.InterceptFlow" />
 
                <bean id="intercept/terms-of-use" parent="shibboleth.consent.TermsOfUseFlow" />
 
                <bean id="intercept/attribute-release" parent="shibboleth.consent.AttributeReleaseFlow"
                      p:activationCondition-ref="attribute_release_cond" />
 
                <bean id="intercept/attribute-info" parent="shibboleth.consent.AttributeReleaseFlow"
                      p:activationCondition-ref="attribute_info_cond" />
 
                <bean id="intercept/attribute-must" parent="shibboleth.consent.AttributeReleaseFlow"
                      p:activationCondition-ref="attribute_must_cond" />
            </list>
        </property>
    </bean>
 
    <bean id="attribute_info_users" class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate" p:useUnfilteredAttributes="true">
        <property name="attributeValueMap">
            <map>
               <!-- hier wird im Produktivbetrieb am ehesten die Zugehörigkeit zu einer Nutzergruppe abgefragt, z.B. ou-->
               <entry key="eduPersonAffiliation">
                    <list>
                       <value>staff</value>
                    </list>
                </entry>
            </map>
        </property>
    </bean>
 
    <bean id="attribute_must_users" class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate" p:useUnfilteredAttributes="true">
        <property name="attributeValueMap">
            <map>
               <!-- hier wird im Produktivbetrieb am ehesten die Zugehörigkeit zu einer Nutzergruppe abgefragt, z.B. ou-->
               <entry key="eduPersonAffiliation">
                    <list>
                       <value>staff</value>
                    </list>
                </entry>
            </map>
        </property>
    </bean>
 
    <bean id="attribute_must_sps" parent="shibboleth.Conditions.RelyingPartyId">
        <constructor-arg name="candidates">
           <!-- hier die Entity IDs der SPs eintragen, die in diese Kategorie fallen:
                Notwendige Dienste, DSGVO Art. 88 -->
           <list>
               <value>https://testsp.aai.dfn.de/shibboleth</value>
           </list>
        </constructor-arg>
    </bean>
 
    <bean id="attribute_info_sps" parent="shibboleth.Conditions.RelyingPartyId">
       <constructor-arg name="candidates">
          <!-- hier die Entity IDs der SPs eintragen, die in diese Kategorie fallen:
               Nützliche Dienste, DSGVO Art. 6 Abs. 1 lit. e oder f -->
          <list>
             <value>https://testsp3.aai.dfn.de/shibboleth</value>
          </list>
       </constructor-arg>
    </bean>
 
    <bean id="attribute_info_cond" parent="shibboleth.Conditions.AND">
       <constructor-arg>
         <list>
           <ref bean="attribute_info_users" />
           <ref bean="attribute_info_sps" />
         </list>
       </constructor-arg>
    </bean>
 
    <bean id="attribute_must_cond" parent="shibboleth.Conditions.AND">
       <constructor-arg>
         <list>
           <ref bean="attribute_must_users" />
           <ref bean="attribute_must_sps" />
         </list>
       </constructor-arg>
    </bean>
 
    <bean id="attribute_release_cond" parent="shibboleth.Conditions.NOT">
       <constructor-arg>
         <list>
            <bean parent="shibboleth.Conditions.OR">
              <constructor-arg>
                <list>
                  <ref bean="attribute_info_cond" />
                  <ref bean="attribute_must_cond" />
                </list>
              </constructor-arg>
            </bean>
         </list>
       </constructor-arg>
    </bean>
 
</beans>