This documentation is for WSO2 Identity Server 5.6.0. View documentation for the latest release.
Page Comparison - General Data Protection Regulation (v.1 vs v.2) - WSO2 Identity Server 5.6.0 - WSO2 Documentation

All docs This doc

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Consent life cycle management

According to GDPR, the consent is defined as “Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. WSO2 IS fully supports for consent management in the context of IS activities and can be used to manage consents from 3rd party applications via secure RESTful consent management API.

It also supports the following features:
  1. When IS is acting as the Identity Provider(IdP), all the user attributes sharing (usually as security tokens such as SAML, IDToken, JWT etc.) with service providers (SP) are based on user consent.

  2. Gets user consent when IS is storing user attribute profiles based on self-sign up portal or security token received from a federated identity provider.    
  3. IS user portal facilitates users to review the already given consents and revoke them, if necessary.

  4. Secure RESTful consent management API can be used to integrate read, modify, and delete consents managed by IS.

  5. Secure RESTful consent management API facilitates using of IS as the consent lifecycle management solution for 3rd party applications such as web and mobile applications.  

Consent receipt specification (draft)

WSO2 IS also support for Consent Receipt Specification draft from Kantara Initiative. 

Right to be forgotten

This is one of the most important individual rights defined in GDPR. In simple terms, an individual can request to complete removal his/her personal data from the processing organizations. According to GDPR, unless there is a clear and valid legal background, processing organizations should fulfill such forget me requests.   

WSO2 IS provides out of a box privacy toolkit to remove all identify data from related databases and log files. This toolkit can be run manually by organization administrators or can be automated so that whenever a user profile gets deleted from the system, all the related PII data gets removed from the system.

By considering performance overhead and automation flexibility, this privacy toolkit is run separately from IS runtime. The privacy toolkit is not just limited to the current version of IS rather, it can be used with any new or old WSO2 platform product. Please note that, for older versions of WSO2 products, it is required to download WSO2 Privacy Toolkit from here separately.

When it comes to Right to be forgotten, IS supports the following features:

  • Delete the user by “Identity Admin” of the tenant. This will remove the user from any underlying “Read/Write” user store (JDBC/LDAP/AD). 
  • Anonymize any retained traces of the user activity. 
    • Log Files
    • Analytics data, related to Login, Session, Key Validation, etc.
    • Key/Token data held at the Database layer.
  • Delete any unwanted data retained in the Database(due to performance reasons) 
    • Token(s) issued, 
    • Password History information.

Additionally, WSO2 Privacy Toolkit can be extended to clear privacy data in any relational database or any textual log file but that is out of the scope of this document.

Info

For more information on the topic, refer Removing References to Deleted User Identities


Exercising individual rights 

GDPR defines a set of strong individual rights that every data processing organization should facilitate for their users. The Self-care User Portal available with the WSO2 Identity Server is equipped to exercise these individual rights by users themselves. Any organization that deploys WSO2 IS, will have Self-care User Portal by default.

Following features are supported as part of Self-care User Portal:

  • The right of transparency and modalities - Personal data processing activities carried out by the organization, their purposes, and time-limits and what data are stored can be made transparent to users via the IS Self-care User Portal.

  • The right of access - Via the IS Self-care User Portal, users can access and review what personal data are stored in the processing organization.

  • The right to rectification - Individuals can rectify incorrect data on their user profiles by themselves by logging into Self-care User Portal.

  • The right to restrict processing - Individuals can make restrictions on their user profiles by themselves by logging into Self-care User Portal. Generally, this is done through by revoking an already given consent but can be extended to other usages as well.

  • The right to be forgotten - Individuals can remove their profile data or can be extended to send forget-me requests via the Self-care User portal.

  • The right for notification obligation - The Self-care User Portal can be extended to act as the notification center for individuals.

  • The right to data portability - Individuals can download their user profile in a structured, commonly used and machine-readable JSON document format through the Self-care User Portal.

  • The right to object - The Self-care User Portal can be extended to act as a communication channel to make objections on processing.

  • Rights in relation to automated decision making and profiling - The Self-care User Portal can be extended to act as a communication channel to make objections on automated decision making and profiling.

Following additional features are also supported in IS Self-care User portal.

  • Revoking consent for all or specific attributes
  • Giving an expiry date for a consent

Personal data portability  

Ability to download individual’s user profile as a structured, commonly used and a machine-readable format is a requirement of GDPR. In WSO2 IS, it is possible to use one of the following options to download user profile as a structured JSON document.

  1. By logging into Self-care User Portal

  2. Invoking personal data export API(secure RESTful API)

Additionally, GDPR encourages to facilitate user profile provisioning from the data processing organization to another organization based on individuals requests automatically. SCIM 2 API supported in WSO2 IS can be used to fulfill this requirement.

Personal data protection

WSO2 IS is subjected to regular reviews and updates for latest versions of the crypto algorithm and latest versions of crypto frameworks. These security updates are provided as WSO2 WUM service. Additionally, a number of data encryption and protection features are supported by WSO2 IS.

Supported encryption features for personal data:

  • OAuth2 Access token

  • OAuth2 Refresh token

  • OAuth2 Authorization 

  • ID Tokens

  • SAML Responses

Supported hashing features for personal data:

  • User credentials

GDPR also mandates processing organizations to make sure only authorized people from the stuff based on “need to know” basic can access to user profile data from individuals. Access control features supported in WSO2 IS  such as role-based access control (RBAC), attribute-based access control can be used to cater this requirement. 

Info

For more information on Role-based Access control, Attribute-based Access Control, and XACML, refer Access Control and Entitlement page.

The cookies used

WSO2 Identity Server uses cookies to provide a good user experience. Check out the following table for details.

Cookie NamePurposeRetention

JSESSIONID

This maintains the session data in order to provide a good user experience.

Session

MSGnnnnnnnnnn

This maintains some messages that are shown to you in order to provide a good user experience.

The “nnnnnnnnnn” reference in this cookie represents a random number, e.g., MSG324935932.

Session

requestedURI

This is the URI you are accessing.

Session

current-breadcrumb

This is to keep your active page in session in order to provide a good user experience.

Session

commonAuthId

This identifies the user session.

Info

When a user is authenticated, a session is created and cached. This session's identifier is set in the commonAuthId cookie.

Session
obps

This is to maintain the browser state and to store the OIDC sessions.

Session