Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
de:shibidp3consent_dsgvo [2019/01/21 17:53] Wolfgang Pempe |
de:shibidp3consent_dsgvo [2019/12/04 09:46] (aktuell) Silke Meyer |
||
---|---|---|---|
Zeile 95: | Zeile 95: | ||
und | und | ||
- | <file xml ./flows/intercept/attribute-info/attribute-must-flow.xml> | + | <file xml ./flows/intercept/attribute-must/attribute-must-flow.xml> |
<action-state id="ExtractConsent"> | <action-state id="ExtractConsent"> | ||
<evaluate expression="ExtractConsent" /> | <evaluate expression="ExtractConsent" /> | ||
Zeile 137: | Zeile 137: | ||
</file> | </file> | ||
+ | \\ | ||
+ | |||
+ | **HTML-Ansicht ''attribute-info.vm''**\\ | ||
+ | {{:de:02_user_consent.png?200|}} | ||
+ | |||
+ | **HTML-Ansicht ''attribute-must.vm''**\\ | ||
+ | {{:de:03_user_consent.png?200|}} | ||
+ | |||
+ | ==== Attribute Query und User Consent ==== | ||
+ | Ab Shibboleth IdP 3.4.3 kann bei Attribute Queries die jeweils letzte Entscheidung des Users zur Attributfreigabe berücksichtigt werden. Dies funktioniert natürlich nur, wenn die (virtuellen) Entscheidungen zur Attributfreigabe in einer IdP-seitigen Datenbank abgelegt werden und eine entsprechende Condition gesetzt ist. Siehe hierzu unter [[de:shibidp3storage#user_consent_zu_attributfreigabe_bei_attribute_queries_beruecksichtigen|Server-Side-Storage - User Consent]]. | ||
+ | |||
+ | Damit Attribute Queries unter diesen Rahmenbedingungen auch im oben skizzierten Setup funktionieren, sind weitere Konfigurationsschritte erforderlich: | ||
+ | |||
+ | Zunächst die Dateien \\ | ||
+ | ''./system/flows/intercept/attribute-release-query-beans.xml'' und \\ | ||
+ | ''./system/flows/intercept/attribute-release-query-flow.xm'' \\ | ||
+ | in ein Verzeichnis namens \\ | ||
+ | ''./flows/intercept/attribute-release-query'' \\ | ||
+ | kopieren. | ||
+ | |||
+ | Anschließend müssen diverse Anpassungen vorgenommen werden: | ||
+ | <file xml ./flows/intercept/attribute-release-query/attribute-release-query-beans.xml> | ||
+ | <!-- Use 'intercept/attribute-release' as storage context. --> | ||
+ | |||
+ | <bean id="AttributeReleaseStorageContextLookupStrategy" class="com.google.common.base.Functions" | ||
+ | factory-method="constant" c:_0="intercept/attribute-release" /> | ||
+ | |||
+ | <bean id="ReadAttributeReleaseConsentFromStorage" | ||
+ | class="net.shibboleth.idp.consent.flow.storage.impl.ReadConsentFromStorage" scope="prototype" | ||
+ | p:storageKeyLookupStrategy-ref="shibboleth.consent.UserAndRelyingPartyStorageKey" | ||
+ | p:storageSerializer-ref="shibboleth.consent.ConsentSerializer" | ||
+ | p:storageContextLookupStrategy-ref="AttributeReleaseStorageContextLookupStrategy" /> | ||
+ | |||
+ | <!-- Use 'intercept/attribute-info' as storage context. --> | ||
+ | <bean id="AttributeReleaseInfoStorageContextLookupStrategy" class="com.google.common.base.Functions" | ||
+ | factory-method="constant" c:_0="intercept/attribute-info" /> | ||
+ | |||
+ | <bean id="ReadAttributeReleaseInfoConsentFromStorage" | ||
+ | class="net.shibboleth.idp.consent.flow.storage.impl.ReadConsentFromStorage" scope="prototype" | ||
+ | p:storageKeyLookupStrategy-ref="shibboleth.consent.UserAndRelyingPartyStorageKey" | ||
+ | p:storageSerializer-ref="shibboleth.consent.ConsentSerializer" | ||
+ | p:storageContextLookupStrategy-ref="AttributeReleaseInfoStorageContextLookupStrategy" /> | ||
+ | |||
+ | <!-- Use 'intercept/attribute-must' as storage context. --> | ||
+ | <bean id="AttributeReleaseMustStorageContextLookupStrategy" class="com.google.common.base.Functions" | ||
+ | factory-method="constant" c:_0="intercept/attribute-must" /> | ||
+ | |||
+ | <bean id="ReadAttributeReleaseMustConsentFromStorage" | ||
+ | class="net.shibboleth.idp.consent.flow.storage.impl.ReadConsentFromStorage" scope="prototype" | ||
+ | p:storageKeyLookupStrategy-ref="shibboleth.consent.UserAndRelyingPartyStorageKey" | ||
+ | p:storageSerializer-ref="shibboleth.consent.ConsentSerializer" | ||
+ | p:storageContextLookupStrategy-ref="AttributeReleaseMustStorageContextLookupStrategy" /> | ||
+ | |||
+ | </file> | ||
+ | |||
+ | In der Flow-Definition den Block nach ''<!-- Read consent from storage -->'' anpassen und erweitern: | ||
+ | <file xml ./flows/intercept/attribute-release-query/attribute-release-query-flow.xml> | ||
+ | <!-- Read consent from storage. --> | ||
+ | |||
+ | <action-state id="ReadConsentFromStorage"> | ||
+ | <evaluate expression="ReadAttributeReleaseConsentFromStorage" /> | ||
+ | <evaluate expression="'proceed'" /> | ||
+ | |||
+ | <transition on="proceed" to="ReadInfoConsentFromStorage" /> | ||
+ | </action-state> | ||
+ | |||
+ | <action-state id="ReadInfoConsentFromStorage"> | ||
+ | <evaluate expression="ReadAttributeReleaseInfoConsentFromStorage" /> | ||
+ | <evaluate expression="'proceed'" /> | ||
+ | |||
+ | <transition on="proceed" to="ReadMustConsentFromStorage" /> | ||
+ | </action-state> | ||
+ | |||
+ | <action-state id="ReadMustConsentFromStorage"> | ||
+ | <evaluate expression="ReadAttributeReleaseMustConsentFromStorage" /> | ||
+ | <evaluate expression="'proceed'" /> | ||
+ | |||
+ | <transition on="proceed" to="TestForReadGlobalAttributeConsentFromStorage" /> | ||
+ | </action-state> | ||
+ | |||
+ | <decision-state id="TestForReadGlobalAttributeConsentFromStorage"> | ||
+ | <if test="attributeReleaseFlowDescriptor.globalConsentAllowed" | ||
+ | then="ReadGlobalAttributeConsentFromStorage" else="CheckPreviousConsents" /> | ||
+ | </decision-state> | ||
+ | |||
+ | <action-state id="ReadGlobalAttributeConsentFromStorage"> | ||
+ | <evaluate expression="ReadAttributeReleaseGlobalConsentFromStorage" /> | ||
+ | <evaluate expression="'proceed'" /> | ||
+ | |||
+ | <transition on="proceed" to="TestForGlobalAttributeConsent" /> | ||
+ | </action-state> | ||
+ | | ||
+ | <!-- hier noch der angepasste Pfad fürs Import-Statement der Attribute Release Bohne --> | ||
+ | <bean-import resource="../../../system/flows/intercept/attribute-release-beans.xml" /> | ||
+ | </file> | ||
+ | |||
+ | Anschließend noch den flow in ''./conf/intercept/profile-intercept.xml'' bekannt machen: | ||
+ | <file xml ./conf/intercept/profile-intercept.xml> | ||
+ | <bean id="shibboleth.AvailableInterceptFlows" parent="shibboleth.DefaultInterceptFlows" lazy-init="true"> | ||
+ | <property name="sourceList"> | ||
+ | <list merge="true"> | ||
+ | <!-- ... --> | ||
+ | <bean id="intercept/attribute-release-query" parent="shibboleth.consent.AttributeReleaseFlow" /> | ||
+ | <!-- ... --> | ||
+ | </list> | ||
+ | </property> | ||
+ | </bean> | ||
+ | </file> |
- Zuletzt geändert: vor 11 Monaten