Beide Seiten der vorigen Revision
Vorhergehende Überarbeitung
Nächste Überarbeitung
|
Vorhergehende Überarbeitung
Nächste Überarbeitung
Beide Seiten der Revision
|
de:shibidp3consent_dsgvo [2019/01/21 17:53] Wolfgang Pempe |
de:shibidp3consent_dsgvo [2019/04/17 17:11] Wolfgang Pempe |
und | und |
| |
<file xml ./flows/intercept/attribute-info/attribute-must-flow.xml> | <file xml ./flows/intercept/attribute-must/attribute-must-flow.xml> |
<action-state id="ExtractConsent"> | <action-state id="ExtractConsent"> |
<evaluate expression="ExtractConsent" /> | <evaluate expression="ExtractConsent" /> |
</file> | </file> |
| |
| \\ |
| |
| **HTML-Ansicht ''attribute-info.vm''**\\ |
| {{:de:02_user_consent.png?200|}} |
| |
| **HTML-Ansicht ''attribute-must.vm''**\\ |
| {{:de:03_user_consent.png?200|}} |
| |
| ==== Attribute Query und User Consent ==== |
| Ab Shibboleth IdP 3.4.3 kann bei Attribute Queries die jeweils letzte Endscheidung des Users zur Attributfreigabe berücksichtigt werden. Dies funktioniert natürlich nur, wenn die (virtuellen) Entscheidungen zur Attributfreigabe in einer IdP-seitigen Datenbank abgelegt werden und eine entsprechende Condition gesetzt ist. Siehe hierzu unter [[de:shibidp3storage#user_consent_zu_attributfreigabe_bei_attribute_queries_beruecksichtigen|Server-Side-Storage - User Consent]]. |
| |
| Damit Attribute Queries unter diesen Rahmenbedingungen auch im oben skizzierten Setup funktionieren, sind weitere Konfigurationsschritte erforderlich: |
| |
| Zunächst die Dateien \\ |
| ''./system/flows/intercept/attribute-release-query-beans.xml'' und \\ |
| ''./system/flows/intercept/attribute-release-query-flow.xm'' \\ |
| in ein Verzeichnis namens \\ |
| ''./flows/intercept/attribute-release-query'' \\ |
| kopieren. |
| |
| Anschließend müssen diverse Anpassungen vorgenommen werden: |
| <file xml ./flows/intercept/attribute-release-query-beans.xml> |
| <!-- Use 'intercept/attribute-release' as storage context. --> |
| |
| <bean id="AttributeReleaseStorageContextLookupStrategy" class="com.google.common.base.Functions" |
| factory-method="constant" c:_0="intercept/attribute-release" /> |
| |
| <bean id="ReadAttributeReleaseConsentFromStorage" |
| class="net.shibboleth.idp.consent.flow.storage.impl.ReadConsentFromStorage" scope="prototype" |
| p:storageKeyLookupStrategy-ref="shibboleth.consent.UserAndRelyingPartyStorageKey" |
| p:storageSerializer-ref="shibboleth.consent.ConsentSerializer" |
| p:storageContextLookupStrategy-ref="AttributeReleaseStorageContextLookupStrategy" /> |
| |
| <!-- Use 'intercept/attribute-info' as storage context. --> |
| <bean id="AttributeReleaseInfoStorageContextLookupStrategy" class="com.google.common.base.Functions" |
| factory-method="constant" c:_0="intercept/attribute-info" /> |
| |
| <bean id="ReadAttributeReleaseInfoConsentFromStorage" |
| class="net.shibboleth.idp.consent.flow.storage.impl.ReadConsentFromStorage" scope="prototype" |
| p:storageKeyLookupStrategy-ref="shibboleth.consent.UserAndRelyingPartyStorageKey" |
| p:storageSerializer-ref="shibboleth.consent.ConsentSerializer" |
| p:storageContextLookupStrategy-ref="AttributeReleaseInfoStorageContextLookupStrategy" /> |
| |
| <!-- Use 'intercept/attribute-must' as storage context. --> |
| <bean id="AttributeReleaseMustStorageContextLookupStrategy" class="com.google.common.base.Functions" |
| factory-method="constant" c:_0="intercept/attribute-must" /> |
| |
| <bean id="ReadAttributeReleaseMustConsentFromStorage" |
| class="net.shibboleth.idp.consent.flow.storage.impl.ReadConsentFromStorage" scope="prototype" |
| p:storageKeyLookupStrategy-ref="shibboleth.consent.UserAndRelyingPartyStorageKey" |
| p:storageSerializer-ref="shibboleth.consent.ConsentSerializer" |
| p:storageContextLookupStrategy-ref="AttributeReleaseMustStorageContextLookupStrategy" /> |
| |
| </file> |
| |
| In der Flow-Definition den Block nach ''<!-- Read consent from storage -->'' anpassen und erweitern: |
| <file xml ./flows/intercept/attribute-release-query-flow.xml> |
| <!-- Read consent from storage. --> |
| |
| <action-state id="ReadConsentFromStorage"> |
| <evaluate expression="ReadAttributeReleaseConsentFromStorage" /> |
| <evaluate expression="'proceed'" /> |
| |
| <transition on="proceed" to="ReadInfoConsentFromStorage" /> |
| </action-state> |
| |
| <action-state id="ReadInfoConsentFromStorage"> |
| <evaluate expression="ReadAttributeReleaseInfoConsentFromStorage" /> |
| <evaluate expression="'proceed'" /> |
| |
| <transition on="proceed" to="ReadMustConsentFromStorage" /> |
| </action-state> |
| |
| <action-state id="ReadMustConsentFromStorage"> |
| <evaluate expression="ReadAttributeReleaseMustConsentFromStorage" /> |
| <evaluate expression="'proceed'" /> |
| |
| <transition on="proceed" to="TestForReadGlobalAttributeConsentFromStorage" /> |
| </action-state> |
| |
| <decision-state id="TestForReadGlobalAttributeConsentFromStorage"> |
| <if test="attributeReleaseFlowDescriptor.globalConsentAllowed" |
| then="ReadGlobalAttributeConsentFromStorage" else="CheckPreviousConsents" /> |
| </decision-state> |
| |
| <action-state id="ReadGlobalAttributeConsentFromStorage"> |
| <evaluate expression="ReadAttributeReleaseGlobalConsentFromStorage" /> |
| <evaluate expression="'proceed'" /> |
| |
| <transition on="proceed" to="TestForGlobalAttributeConsent" /> |
| </action-state> |
| |
| <!-- hier noch der angepasste Pfad fürs Import-Statement der Attribute Release Bohne --> |
| <bean-import resource="../../../system/flows/intercept/attribute-release-beans.xml" /> |
| </file> |
| |
| Anschließend noch den flow in ''./conf/intercept/profile-intercept.xml'' bekannt machen: |
| <file xml ./conf/intercept/profile-intercept.xml> |
| <bean id="shibboleth.AvailableInterceptFlows" parent="shibboleth.DefaultInterceptFlows" lazy-init="true"> |
| <property name="sourceList"> |
| <list merge="true"> |
| <!-- ... --> |
| <bean id="intercept/attribute-release-query" parent="shibboleth.consent.AttributeReleaseFlow" /> |
| <!-- ... --> |
| </list> |
| </property> |
| </bean> |
| </file> |