Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung
Vorhergehende Überarbeitung
de:shibidp3consent_dsgvo [2019/01/21 17:57]
Wolfgang Pempe
de:shibidp3consent_dsgvo [2019/04/17 17:11] (aktuell)
Wolfgang Pempe [Attribute Query und User Consent]
Zeile 95: Zeile 95:
 und und
  
-<file xml ./​flows/​intercept/​attribute-info/​attribute-must-flow.xml>​+<file xml ./​flows/​intercept/​attribute-must/​attribute-must-flow.xml>​
      <​action-state id="​ExtractConsent">​      <​action-state id="​ExtractConsent">​
         <​evaluate expression="​ExtractConsent"​ />         <​evaluate expression="​ExtractConsent"​ />
Zeile 144: Zeile 144:
 **HTML-Ansicht ''​attribute-must.vm''​**\\ **HTML-Ansicht ''​attribute-must.vm''​**\\
 {{:​de:​03_user_consent.png?​200|}} {{:​de:​03_user_consent.png?​200|}}
 +
 +==== Attribute Query und User Consent ====
 +Ab Shibboleth IdP 3.4.3 kann bei Attribute Queries die jeweils letzte Entscheidung des Users zur Attributfreigabe berücksichtigt werden. Dies funktioniert natürlich nur, wenn die (virtuellen) Entscheidungen zur Attributfreigabe in einer IdP-seitigen Datenbank abgelegt werden und eine entsprechende Condition gesetzt ist. Siehe hierzu unter [[de:​shibidp3storage#​user_consent_zu_attributfreigabe_bei_attribute_queries_beruecksichtigen|Server-Side-Storage - User Consent]].
 +
 +Damit Attribute Queries unter diesen Rahmenbedingungen auch im oben skizzierten Setup funktionieren,​ sind weitere Konfigurationsschritte erforderlich:​
 +
 +Zunächst die Dateien \\
 +''​./​system/​flows/​intercept/​attribute-release-query-beans.xml''​ und \\
 +''​./​system/​flows/​intercept/​attribute-release-query-flow.xm''​ \\
 +in ein Verzeichnis namens \\
 +''​./​flows/​intercept/​attribute-release-query''​ \\
 +kopieren.
 +
 +Anschließend müssen diverse Anpassungen vorgenommen werden:
 +<file xml ./​flows/​intercept/​attribute-release-query-beans.xml>​
 +    <!-- Use '​intercept/​attribute-release'​ as storage context. -->
 +
 +    <bean id="​AttributeReleaseStorageContextLookupStrategy"​ class="​com.google.common.base.Functions"​
 +        factory-method="​constant"​ c:​_0="​intercept/​attribute-release"​ />
 +
 +    <bean id="​ReadAttributeReleaseConsentFromStorage"​
 +        class="​net.shibboleth.idp.consent.flow.storage.impl.ReadConsentFromStorage"​ scope="​prototype"​
 +        p:​storageKeyLookupStrategy-ref="​shibboleth.consent.UserAndRelyingPartyStorageKey"​
 +        p:​storageSerializer-ref="​shibboleth.consent.ConsentSerializer"​
 +        p:​storageContextLookupStrategy-ref="​AttributeReleaseStorageContextLookupStrategy"​ />
 + 
 +    <!-- Use '​intercept/​attribute-info'​ as storage context. -->
 +    <bean id="​AttributeReleaseInfoStorageContextLookupStrategy"​ class="​com.google.common.base.Functions"​
 +        factory-method="​constant"​ c:​_0="​intercept/​attribute-info"​ />
 +
 +    <bean id="​ReadAttributeReleaseInfoConsentFromStorage"​
 +        class="​net.shibboleth.idp.consent.flow.storage.impl.ReadConsentFromStorage"​ scope="​prototype"​
 +        p:​storageKeyLookupStrategy-ref="​shibboleth.consent.UserAndRelyingPartyStorageKey"​
 +        p:​storageSerializer-ref="​shibboleth.consent.ConsentSerializer"​
 +        p:​storageContextLookupStrategy-ref="​AttributeReleaseInfoStorageContextLookupStrategy"​ />
 +
 +    <!-- Use '​intercept/​attribute-must'​ as storage context. -->
 +    <bean id="​AttributeReleaseMustStorageContextLookupStrategy"​ class="​com.google.common.base.Functions"​
 +        factory-method="​constant"​ c:​_0="​intercept/​attribute-must"​ />
 +
 +    <bean id="​ReadAttributeReleaseMustConsentFromStorage"​
 +        class="​net.shibboleth.idp.consent.flow.storage.impl.ReadConsentFromStorage"​ scope="​prototype"​
 +        p:​storageKeyLookupStrategy-ref="​shibboleth.consent.UserAndRelyingPartyStorageKey"​
 +        p:​storageSerializer-ref="​shibboleth.consent.ConsentSerializer"​
 +        p:​storageContextLookupStrategy-ref="​AttributeReleaseMustStorageContextLookupStrategy"​ />
 +
 +</​file>​
 +
 +In der Flow-Definition den Block nach ''<​!-- Read consent from storage -->''​ anpassen und erweitern:
 +<file xml ./​flows/​intercept/​attribute-release-query-flow.xml>​
 +    <!-- Read consent from storage. -->
 +
 +    <​action-state id="​ReadConsentFromStorage">​
 +        <​evaluate expression="​ReadAttributeReleaseConsentFromStorage"​ />
 +        <​evaluate expression="'​proceed'"​ />
 +
 +        <​transition on="​proceed"​ to="​ReadInfoConsentFromStorage"​ />
 +    </​action-state>​
 +
 +    <​action-state id="​ReadInfoConsentFromStorage">​
 +        <​evaluate expression="​ReadAttributeReleaseInfoConsentFromStorage"​ />
 +        <​evaluate expression="'​proceed'"​ />
 +
 +        <​transition on="​proceed"​ to="​ReadMustConsentFromStorage"​ />
 +    </​action-state>​
 +
 +    <​action-state id="​ReadMustConsentFromStorage">​
 +        <​evaluate expression="​ReadAttributeReleaseMustConsentFromStorage"​ />
 +        <​evaluate expression="'​proceed'"​ />
 +
 +        <​transition on="​proceed"​ to="​TestForReadGlobalAttributeConsentFromStorage"​ />
 +    </​action-state>​
 +
 +    <​decision-state id="​TestForReadGlobalAttributeConsentFromStorage">​
 +        <if test="​attributeReleaseFlowDescriptor.globalConsentAllowed"​
 +            then="​ReadGlobalAttributeConsentFromStorage"​ else="​CheckPreviousConsents"​ />
 +    </​decision-state>​
 +
 +    <​action-state id="​ReadGlobalAttributeConsentFromStorage">​
 +        <​evaluate expression="​ReadAttributeReleaseGlobalConsentFromStorage"​ />
 +        <​evaluate expression="'​proceed'"​ />
 +
 +        <​transition on="​proceed"​ to="​TestForGlobalAttributeConsent"​ />
 +    </​action-state> ​
 +    ​
 +    <!-- hier noch der angepasste Pfad fürs Import-Statement der Attribute Release Bohne -->
 +    <​bean-import resource="​../​../​../​system/​flows/​intercept/​attribute-release-beans.xml"​ />
 +</​file>​
 +
 +Anschließend noch den flow in ''​./​conf/​intercept/​profile-intercept.xml''​ bekannt machen:
 +<file xml ./​conf/​intercept/​profile-intercept.xml>​
 +    <bean id="​shibboleth.AvailableInterceptFlows"​ parent="​shibboleth.DefaultInterceptFlows"​ lazy-init="​true">​
 +        <​property name="​sourceList">​
 +            <list merge="​true">​
 +               <​!-- ... -->
 +               <​bean id="​intercept/​attribute-release-query"​ parent="​shibboleth.consent.AttributeReleaseFlow"​ />
 +               <​!-- ... -->
 +            </​list>​
 +        </​property>​
 +   </​bean>​
 +</​file>​
  • Zuletzt geändert: vor 9 Monaten