Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- de:shibidp3consent_dsgvo [2019/01/21 17:53]
Wolfgang Pempe
+++ de:shibidp3consent_dsgvo [2019/04/17 17:11]
Wolfgang Pempe
@@ Zeile 95: / Zeile 95: @@
 und
-<file xml ./flows/intercept/attribute-info/attribute-must-flow.xml>
+<file xml ./flows/intercept/attribute-must/attribute-must-flow.xml>
      <action-state id="ExtractConsent">
         <evaluate expression="ExtractConsent" />
@@ Zeile 137: / Zeile 137: @@
 </file>
+\\
+**HTML-Ansicht ''attribute-info.vm''**\\
+{{:de:02_user_consent.png?200|}}
+**HTML-Ansicht ''attribute-must.vm''**\\
+{{:de:03_user_consent.png?200|}}
+==== Attribute Query und User Consent ====
+Ab Shibboleth IdP 3.4.3 kann bei Attribute Queries die jeweils letzte Endscheidung des Users zur Attributfreigabe berücksichtigt werden. Dies funktioniert natürlich nur, wenn die (virtuellen) Entscheidungen zur Attributfreigabe in einer IdP-seitigen Datenbank abgelegt werden und eine entsprechende Condition gesetzt ist. Siehe hierzu unter [[de:shibidp3storage#user_consent_zu_attributfreigabe_bei_attribute_queries_beruecksichtigen|Server-Side-Storage - User Consent]].
+Damit Attribute Queries unter diesen Rahmenbedingungen auch im oben skizzierten Setup funktionieren, sind weitere Konfigurationsschritte erforderlich:
+Zunächst die Dateien \\
+''./system/flows/intercept/attribute-release-query-beans.xml'' und \\
+''./system/flows/intercept/attribute-release-query-flow.xm'' \\
+in ein Verzeichnis namens \\
+''./flows/intercept/attribute-release-query'' \\
+kopieren.
+Anschließend müssen diverse Anpassungen vorgenommen werden:
+<file xml ./flows/intercept/attribute-release-query-beans.xml>
+    <!-- Use 'intercept/attribute-release' as storage context. -->
+    <bean id="AttributeReleaseStorageContextLookupStrategy" class="com.google.common.base.Functions"
+        factory-method="constant" c:_0="intercept/attribute-release" />
+    <bean id="ReadAttributeReleaseConsentFromStorage"
+        class="net.shibboleth.idp.consent.flow.storage.impl.ReadConsentFromStorage" scope="prototype"
+        p:storageKeyLookupStrategy-ref="shibboleth.consent.UserAndRelyingPartyStorageKey"
+        p:storageSerializer-ref="shibboleth.consent.ConsentSerializer"
+        p:storageContextLookupStrategy-ref="AttributeReleaseStorageContextLookupStrategy" />
+    <!-- Use 'intercept/attribute-info' as storage context. -->
+    <bean id="AttributeReleaseInfoStorageContextLookupStrategy" class="com.google.common.base.Functions"
+        factory-method="constant" c:_0="intercept/attribute-info" />
+    <bean id="ReadAttributeReleaseInfoConsentFromStorage"
+        class="net.shibboleth.idp.consent.flow.storage.impl.ReadConsentFromStorage" scope="prototype"
+        p:storageKeyLookupStrategy-ref="shibboleth.consent.UserAndRelyingPartyStorageKey"
+        p:storageSerializer-ref="shibboleth.consent.ConsentSerializer"
+        p:storageContextLookupStrategy-ref="AttributeReleaseInfoStorageContextLookupStrategy" />
+    <!-- Use 'intercept/attribute-must' as storage context. -->
+    <bean id="AttributeReleaseMustStorageContextLookupStrategy" class="com.google.common.base.Functions"
+        factory-method="constant" c:_0="intercept/attribute-must" />
+    <bean id="ReadAttributeReleaseMustConsentFromStorage"
+        class="net.shibboleth.idp.consent.flow.storage.impl.ReadConsentFromStorage" scope="prototype"
+        p:storageKeyLookupStrategy-ref="shibboleth.consent.UserAndRelyingPartyStorageKey"
+        p:storageSerializer-ref="shibboleth.consent.ConsentSerializer"
+        p:storageContextLookupStrategy-ref="AttributeReleaseMustStorageContextLookupStrategy" />
+</file>
+In der Flow-Definition den Block nach ''<!-- Read consent from storage -->'' anpassen und erweitern:
+<file xml ./flows/intercept/attribute-release-query-flow.xml>
+    <!-- Read consent from storage. -->
+    <action-state id="ReadConsentFromStorage">
+        <evaluate expression="ReadAttributeReleaseConsentFromStorage" />
+        <evaluate expression="'proceed'" />
+        <transition on="proceed" to="ReadInfoConsentFromStorage" />
+    </action-state>
+    <action-state id="ReadInfoConsentFromStorage">
+        <evaluate expression="ReadAttributeReleaseInfoConsentFromStorage" />
+        <evaluate expression="'proceed'" />
+        <transition on="proceed" to="ReadMustConsentFromStorage" />
+    </action-state>
+    <action-state id="ReadMustConsentFromStorage">
+        <evaluate expression="ReadAttributeReleaseMustConsentFromStorage" />
+        <evaluate expression="'proceed'" />
+        <transition on="proceed" to="TestForReadGlobalAttributeConsentFromStorage" />
+    </action-state>
+    <decision-state id="TestForReadGlobalAttributeConsentFromStorage">
+        <if test="attributeReleaseFlowDescriptor.globalConsentAllowed"
+            then="ReadGlobalAttributeConsentFromStorage" else="CheckPreviousConsents" />
+    </decision-state>
+    <action-state id="ReadGlobalAttributeConsentFromStorage">
+        <evaluate expression="ReadAttributeReleaseGlobalConsentFromStorage" />
+        <evaluate expression="'proceed'" />
+        <transition on="proceed" to="TestForGlobalAttributeConsent" />
+    </action-state>
+    <!-- hier noch der angepasste Pfad fürs Import-Statement der Attribute Release Bohne -->
+    <bean-import resource="../../../system/flows/intercept/attribute-release-beans.xml" />
+</file>
+Anschließend noch den flow in ''./conf/intercept/profile-intercept.xml'' bekannt machen:
+<file xml ./conf/intercept/profile-intercept.xml>
+    <bean id="shibboleth.AvailableInterceptFlows" parent="shibboleth.DefaultInterceptFlows" lazy-init="true">
+        <property name="sourceList">
+            <list merge="true">
+               <!-- ... -->
+               <bean id="intercept/attribute-release-query" parent="shibboleth.consent.AttributeReleaseFlow" />
+               <!-- ... -->
+            </list>
+        </property>
+   </bean>
+</file>

idp3 idp4