Beispiel für eine EU-DSGVO-konforme Konfiguration des User Consent Moduls - Attribute Release Templates
Anmerkungen:
- Die hier aufgelisteten Varianten beziehen sich auf die Lösungsmodelle aus der Präsentation "Datenschutzrechtliche Analyse das AAI-Verfahrens" von der 69. DFN-Betriebstagung.
- Sollen zusätzlich zu Variante 1 weitere Lösungsmodelle implementiert werden, müssen spezifische Interceptor Flows definiert werden. Siehe hierzu auf der Hauptseite.
- Die u.g. Beispiele erfordern entsprechend angepasste Message Properties. Siehe hierzu auf der Hauptseite.
Variante 1: Einwilligung
Freiwilligkeit, Art. 6 Abs. 1 lit. a
Shib IdP 4.0.x
- ./views/intercept/attribute-release.vm
## ## Velocity Template for DisplayAttributeReleasePage view-state ## ## Velocity context will contain the following properties : ## ## attributeReleaseContext - context holding consentable attributes ## attributeReleaseFlowDescriptor - attribute consent flow descriptor ## attributeDisplayNameFunction - function to display attribute name ## attributeDisplayDescriptionFunction - function to display attribute description ## consentContext - context representing the state of a consent flow ## encoder - HTMLEncoder class ## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl) ## flowExecutionUrl - form action location ## flowRequestContext - Spring Web Flow RequestContext ## profileRequestContext - OpenSAML profile request context ## request - HttpServletRequest ## response - HttpServletResponse ## rpUIContext - context with SP UI information from the metadata ## environment - Spring Environment object for property resolution #set ($serviceName = $rpUIContext.serviceName) #set ($serviceDescription = $rpUIContext.serviceDescription) #set ($informationURL = $rpUIContext.informationURL) #set ($privacyStatementURL = $rpUIContext.privacyStatementURL) #set ($rpOrganizationLogo = $rpUIContext.getLogo()) #set ($rpOrganizationName = $rpUIContext.organizationDisplayName) #set ($replaceDollarWithNewline = true) ## <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width,initial-scale=1.0"> <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/consent.css"> <title>#springMessageText("idp.attribute-release.title", "Information Release")</title> </head> <body> <form action="$flowExecutionUrl" method="post" style="padding:10px" > #parse("csrf/csrf.vm") <div class="box"> <header> <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")" class="federation_logo"> #if ($rpOrganizationLogo) <img src="$encoder.encodeForHTMLAttribute($rpOrganizationLogo)" alt="logo for $encoder.encodeForHTMLAttribute($serviceName)" class="organization_logo"> #end </header> <br clear="all"/> #if ($serviceName) <p style="margin-top: 10px;"> #springMessageText("idp.attribute-release.serviceNameLabel", "You are about to access the service:")<br> <span class="service_name">$serviceName</span> #if ($rpOrganizationName) #springMessageText("idp.attribute-release.of", "of") <span class="organization_name">$encoder.encodeForHTML($rpOrganizationName)</span> #end </p> #end #if ($serviceDescription) <p style="margin-top: 10px;"> #springMessageText("idp.attribute-release.serviceDescriptionLabel", "Description as provided by this service:")<br> <span class="service_description">$encoder.encodeForHTML($serviceDescription)</span> <br> </p> #end #if ($informationURL) <p style="margin-top: 10px;"> <a href="$informationURL">#springMessageText("idp.attribute-release.informationURLLabel", "Additional information about the service")</a> </p> #end <div id="attributeRelease"> <table> <thead> <tr> <th colspan="3"> #springMessageText("idp.attribute-release.attributesHeader", "Information to be Provided to Service") </th> </tr> </thead> <tbody> #foreach ($attribute in $attributeReleaseContext.getConsentableAttributes().values()) <tr> <td>$encoder.encodeForHTML($attributeDisplayNameFunction.apply($attribute))</td> <td> #foreach ($value in $attribute.values) #if ($replaceDollarWithNewline) #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue()).replaceAll($encoder.encodeForHTML('$'),"<br>")) #else #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue())) #end #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled) <label for="$attribute.id"><strong>$encodedValue</strong></label> #else <strong>$encodedValue</strong> #end <br> #end </td> <td style="vertical-align: top"> #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled) #set ($inputType = "checkbox") #else #set ($inputType = "hidden") #end <input id="$attribute.id" type="$inputType" name="_shib_idp_consentIds" value="$encoder.encodeForHTML($attribute.id)" checked> </td> </tr> #end <tr> <td colspan="3">#springMessageText("idp.attribute-release.name_ids", "Furthermore, a transient or persistent Id will be released")</td> </tr> </tbody> </table> </div> #if ($privacyStatementURL) <p style="margin-top: 10px;"> <a href="$privacyStatementURL">#springMessageText("idp.attribute-release.privacyStatementURLLabel", "Data privacy information of the service")</a> </p> #end <div style="float:left;"> #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed) <div id="generalConsentDiv" style="display: block; background-color: #F6F6F6;border: 1px gray solid; padding: 10px; width: 92%;"> #springMessageText("idp.attribute-release.consentMethod", "Select an information release consent duration:") #end #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed) <p> <input id="_shib_idp_doNotRememberConsent" type="radio" name="_shib_idp_consentOptions" value="_shib_idp_doNotRememberConsent" checked> <label for="_shib_idp_doNotRememberConsent">#springMessageText("idp.attribute-release.doNotRememberConsent", "Ask me again at next login")</label> </p> #end #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed) <p> <input id="_shib_idp_rememberConsent" type="radio" name="_shib_idp_consentOptions" value="_shib_idp_rememberConsent"> <label for="_shib_idp_rememberConsent">#springMessageText("idp.attribute-release.rememberConsent", "Ask me again if information changes")</label> </p> #end #if ($attributeReleaseFlowDescriptor.globalConsentAllowed) <p> <input id="_shib_idp_globalConsent" type="radio" name="_shib_idp_consentOptions" value="_shib_idp_globalConsent"> <label for="_shib_idp_globalConsent">#springMessageText("idp.attribute-release.globalConsent", "Do not ask me again")</label> </p> #end #if ($attributeReleaseFlowDescriptor.doNotRememberConsentAllowed || $attributeReleaseFlowDescriptor.globalConsentAllowed) #springMessageText("idp.attribute-release.consentMethodRevoke", "This setting can be revoked at any time with the checkbox on the login page.") </div> #end <p style="text-align: center;"> <input type="submit" name="_eventId_AttributeReleaseRejected" value="#springMessageText("idp.attribute-release.reject", "Reject")"> <a href="javascript:window.print()">#springMessageText("idp.attribute-release.print_page", "Print Page")</a> <input type="submit" name="_eventId_proceed" value="#springMessageText("idp.attribute-release.accept", "Accept")"> </p> </div> </div> </form> </body> </html>
Variante 2: Notwendigkeit
Durchführung des Beschäftigungsverhältnisses, Art. 88 in Verbindung mit § 26 BDSG (neu)
Shib IdP 4.0.x
- ./views/intercept/attribute-must.vm
## ## Velocity Template for DisplayAttributeReleasePage view-state ## ## Velocity context will contain the following properties : ## ## attributeReleaseContext - context holding consentable attributes ## attributeReleaseFlowDescriptor - attribute consent flow descriptor ## attributeDisplayNameFunction - function to display attribute name ## attributeDisplayDescriptionFunction - function to display attribute description ## consentContext - context representing the state of a consent flow ## encoder - HTMLEncoder class ## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl) ## flowExecutionUrl - form action location ## flowRequestContext - Spring Web Flow RequestContext ## profileRequestContext - OpenSAML profile request context ## request - HttpServletRequest ## response - HttpServletResponse ## rpUIContext - context with SP UI information from the metadata ## environment - Spring Environment object for property resolution #set ($serviceName = $rpUIContext.serviceName) #set ($serviceDescription = $rpUIContext.serviceDescription) #set ($informationURL = $rpUIContext.informationURL) #set ($privacyStatementURL = $rpUIContext.privacyStatementURL) #set ($rpOrganizationLogo = $rpUIContext.getLogo()) #set ($rpOrganizationName = $rpUIContext.organizationDisplayName) #set ($replaceDollarWithNewline = true) ## <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width,initial-scale=1.0"> <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/consent.css"> <title>#springMessageText("idp.attribute-release.title", "Information Release")</title> </head> <body> <form action="$flowExecutionUrl" method="post" style="padding:10px" > #parse("csrf/csrf.vm") <div class="box"> <header> <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")" class="federation_logo"> #if ($rpOrganizationLogo) <img src="$encoder.encodeForHTMLAttribute($rpOrganizationLogo)" alt="logo for $encoder.encodeForHTMLAttribute($serviceName)" class="organization_logo"> #end </header> <br clear="all"/> #if ($serviceName) <p style="margin-top: 10px;"> #springMessageText("idp.attribute-release.serviceNameLabel", "You are about to access the service:")<br> <span class="service_name">$serviceName</span> #if ($rpOrganizationName) #springMessageText("idp.attribute-release.of", "of") <span class="organization_name">$encoder.encodeForHTML($rpOrganizationName)</span> #end </p> #end #if ($serviceDescription) <p style="margin-top: 10px;"> #springMessageText("idp.attribute-release.serviceDescriptionLabel", "Description as provided by this service:")<br> <span class="service_description">$encoder.encodeForHTML($serviceDescription)</span> <br> </p> #end #if ($informationURL) <p style="margin-top: 10px;"> <a href="$informationURL">#springMessageText("idp.attribute-release.informationURLLabel", "Additional information about the service")</a> </p> #end <div id="attributeRelease"> <table> <thead> <tr> <th colspan="3"> #springMessageText("idp.attribute-release.attributesHeader", "Information to be Provided to Service") </th> </tr> </thead> <tbody> #foreach ($attribute in $attributeReleaseContext.getConsentableAttributes().values()) <tr> <td>$encoder.encodeForHTML($attributeDisplayNameFunction.apply($attribute))</td> <td> #foreach ($value in $attribute.values) #if ($replaceDollarWithNewline) #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue()).replaceAll($encoder.encodeForHTML('$'),"<br>")) #else #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue())) #end #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled) <label for="$attribute.id"><strong>$encodedValue</strong></label> #else <strong>$encodedValue</strong> #end <br> #end </td> <td style="vertical-align: top"> #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled) #set ($inputType = "checkbox") #else #set ($inputType = "hidden") #end <input id="$attribute.id" type="$inputType" name="_shib_idp_consentIds" value="$encoder.encodeForHTML($attribute.id)" checked> </td> </tr> #end <tr> <td colspan="3">#springMessageText("idp.attribute-release.name_ids", "Furthermore, a transient or persistent Id will be released")</td> </tr> </tbody> </table> </div> #if ($privacyStatementURL) <p style="margin-top: 10px;"> <a href="$privacyStatementURL">#springMessageText("idp.attribute-release.privacyStatementURLLabel", "Data privacy information of the service")</a> </p> #end <div id="generalConsentDiv" style="display: block; background-color: #F6F6F6;border: 1px gray solid; padding: 10px; width: 92%;"> <p> <input id="_shib_idp_doNotRememberConsent" type="radio" name="_shib_idp_consentOptions" value="_shib_idp_doNotRememberConsent" checked> <label for="_shib_idp_doNotRememberConsent">#springMessageText("idp.attribute-must.doNotRememberConsent", "Ask me again at next login")</label> </p> <p> <input id="_shib_idp_rememberConsent" type="radio" name="_shib_idp_consentOptions" value="_shib_idp_rememberConsent"> <label for="_shib_idp_rememberConsent">#springMessageText("idp.attribute-must.rememberConsent", "Ask me again if information changes")</label> </p> <div style="float:left;"> <p><b> #springMessageText("idp.attribute-must.information", "Honestly, you have no choice...") </b></p> </div> <p style="text-align: center;"> <input type="submit" name="_eventId_proceed" value="#springMessageText("idp.attribute-must.accept", "OK")"> </p> </div> </div> </form> </body> </html>
Variante 3: "Nützliche Dienste"
Kein Zwang, aber Interesse der Einrichtung an Nutzung des Dienstes, Art. 6 Abs. 1 lit. e (in Verbindung mit spezieller Erlaubnisnorm) oder lit. f. Widerspruchsrecht nach Art. 21 Abs. 1
Shib IdP 4.0.x
- ./views/intercept/attribute-info.vm
## ## Velocity Template for DisplayAttributeReleasePage view-state ## ## Velocity context will contain the following properties : ## ## attributeReleaseContext - context holding consentable attributes ## attributeReleaseFlowDescriptor - attribute consent flow descriptor ## attributeDisplayNameFunction - function to display attribute name ## attributeDisplayDescriptionFunction - function to display attribute description ## consentContext - context representing the state of a consent flow ## encoder - HTMLEncoder class ## flowExecutionKey - SWF execution key (this is built into the flowExecutionUrl) ## flowExecutionUrl - form action location ## flowRequestContext - Spring Web Flow RequestContext ## profileRequestContext - OpenSAML profile request context ## request - HttpServletRequest ## response - HttpServletResponse ## rpUIContext - context with SP UI information from the metadata ## environment - Spring Environment object for property resolution #set ($serviceName = $rpUIContext.serviceName) #set ($serviceDescription = $rpUIContext.serviceDescription) #set ($informationURL = $rpUIContext.informationURL) #set ($privacyStatementURL = $rpUIContext.privacyStatementURL) #set ($rpOrganizationLogo = $rpUIContext.getLogo()) #set ($rpOrganizationName = $rpUIContext.organizationDisplayName) #set ($replaceDollarWithNewline = true) ## <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width,initial-scale=1.0"> <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/consent.css"> <title>#springMessageText("idp.attribute-release.title", "Information Release")</title> </head> <body> <form action="$flowExecutionUrl" method="post" style="padding:10px" > #parse("csrf/csrf.vm") <div class="box"> <header> <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")" class="federation_logo"> #if ($rpOrganizationLogo) <img src="$encoder.encodeForHTMLAttribute($rpOrganizationLogo)" alt="logo for $encoder.encodeForHTMLAttribute($serviceName)" class="organization_logo"> #end </header> <br clear="all"/> #if ($serviceName) <p style="margin-top: 10px;"> #springMessageText("idp.attribute-release.serviceNameLabel", "You are about to access the service:")<br> <span class="service_name">$serviceName</span> #if ($rpOrganizationName) #springMessageText("idp.attribute-release.of", "of") <span class="organization_name">$encoder.encodeForHTML($rpOrganizationName)</span> #end </p> #end #if ($serviceDescription) <p style="margin-top: 10px;"> #springMessageText("idp.attribute-release.serviceDescriptionLabel", "Description as provided by this service:")<br> <span class="service_description">$encoder.encodeForHTML($serviceDescription)</span> <br> </p> #end #if ($informationURL) <p style="margin-top: 10px;"> <a href="$informationURL">#springMessageText("idp.attribute-release.informationURLLabel", "Additional information about the service")</a> </p> #end <div id="attributeRelease"> <table> <thead> <tr> <th colspan="3"> #springMessageText("idp.attribute-release.attributesHeader", "Information to be Provided to Service") </th> </tr> </thead> <tbody> #foreach ($attribute in $attributeReleaseContext.getConsentableAttributes().values()) <tr> <td>$encoder.encodeForHTML($attributeDisplayNameFunction.apply($attribute))</td> <td> #foreach ($value in $attribute.values) #if ($replaceDollarWithNewline) #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue()).replaceAll($encoder.encodeForHTML('$'),"<br>")) #else #set ($encodedValue = $encoder.encodeForHTML($value.getDisplayValue())) #end #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled) <label for="$attribute.id"><strong>$encodedValue</strong></label> #else <strong>$encodedValue</strong> #end <br> #end </td> <td style="vertical-align: top"> #if ($attributeReleaseFlowDescriptor.perAttributeConsentEnabled) #set ($inputType = "checkbox") #else #set ($inputType = "hidden") #end <input id="$attribute.id" type="$inputType" name="_shib_idp_consentIds" value="$encoder.encodeForHTML($attribute.id)" checked> </td> </tr> #end <tr> <td colspan="3">#springMessageText("idp.attribute-release.name_ids", "Furthermore, a transient or persistent Id will be released")</td> </tr> </tbody> </table> </div> #if ($privacyStatementURL) <p style="margin-top: 10px;"> <a href="$privacyStatementURL">#springMessageText("idp.attribute-release.privacyStatementURLLabel", "Data privacy information of the service")</a> </p> #end <div id="generalConsentDiv" style="display: block; background-color: #F6F6F6;border: 1px gray solid; padding: 10px; width: 92%;"> <p> <input id="_shib_idp_doNotRememberConsent" type="radio" name="_shib_idp_consentOptions" value="_shib_idp_doNotRememberConsent" checked> <label for="_shib_idp_doNotRememberConsent">#springMessageText("idp.attribute-info.doNotRememberConsent", "Ask me again at next login")</label> </p> <p> <input id="_shib_idp_rememberConsent" type="radio" name="_shib_idp_consentOptions" value="_shib_idp_rememberConsent"> <label for="_shib_idp_rememberConsent">#springMessageText("idp.attribute-info.rememberConsent", "Ask me again if information changes")</label> </p> <div style="float:left;"> <p><b> #springMessageText("idp.attribute-info.information", "Honestly, you have no choice...") </b></p> </div> <p style="text-align: center;"> <input type="submit" name="_eventId_proceed" value="#springMessageText("idp.attribute-info.accept", "OK")"> </p> </div> </div> </form> </body> </html>