Consent management provides users with choice and control over sharing their personal data and establishes trust between the users and the service provider. The following sections explain how WSO2 Identity Server handles consent management within the single-sign-on (SSO) authentication flow.
Consent management flow for SSO
This section guides you through the consent management flow for SSO authentication.
- For more information on SSO authentication, see the Configuring Single Sign-On tutorial.
- For more information about consent management concepts and other use cases of consent management with WSO2 IS, see Consent Management Overview.
- Consent management is enabled by default in WSO2 Identity Server. If you wish to disable it, see Disabling consent management for SSO.
When configuring claims for a service provider, the identity admin can specify requested claims and mandatory claims that determine what user information the service provider requires. This claim configuration governs what user attributes the user is prompted to consent to.
Note: "Requested Claims" are claims that are requested by the service provider. Marking a claim as a "Mandatory Claim" ensures that the WSO2 IS will definitely send a value for this claim to the service provider. When a user logs into this service provider, if the identity provider does not provide a value for any of the mandatory claims, the user will be prompted to provide them at the time of login as shown in the image below.
- When a user is authenticated for the relevant application, the service provider requests the user information represented by these claims.
The user is prompted to provide consent to share the requested personal information with the service provider. Depending on the preference, users can select which attributes to share with the service provider and which attributes they wish to opt out of sharing by selecting/deselecting the relevant claims accordingly. A sample user consent request screen is shown below.
Note the following:
- To successfully proceed with the authentication flow, the user must select all mandatory claims (marked with *) and approve the consent request. The user cannot proceed with authentication without providing consent for the mandatory claims.
If a claim does not have a display name specified, the claim's URI appears on the screen instead. You can specify a claim's display name by navigating to Claims > List in the management console and clicking Edit next to the claim.
Once the user provides approval to share the user attributes, WSO2 Identity Server will store the consent in relation to the user and the application. This means that the user will not be prompted for consent again unless one of the following occurs:
The user has revoked consent for the application. For more information on revoking user consent, see Configuring consent for services.
The application requires new mandatory claims that the user has not consented to previously. If the service provider requests for any new mandatory claim values, the user will only be prompted to provide consent for the newly added mandatory claims
Trying out consent management for SSO
Before you begin
Configure the Travelocity sample app as a service provider in WSO2 Identity Server. For more information on how to do this, see the Configuring Single Sign-On tutorial.
Configure the following service provider claims.
http://<claim_dialect>/claims/fullname (mandatory claim)
- http://<claim_dialect>/claims/email (mandatory claim)
Access the following URL: http://wso2is.local:8080/travelocity.com.
You are directed to the following page.
Click Click here to login with SAML from Identity Server. You are redirected to the WSO2 Identity Server for authentication.
Enter the user credentials and click Submit.
Once you have provided the correct credentials, you are redirected to the consent request screen for approval.
Note: The consent screen appears only if the user has already entered values for the mandatory claims. If any of these values is missing (e.g., if Email is a mandatory claim, but the user has not yet provided an email address), a screen appears where the user must enter those values before the consent screen will appear.
Select the claims that you consent to share with the Travelocity application and click Approve. You must select all mandatory claims to successfully complete the authentication. After providing consent, you are redirected to the Travelocity application home page.
For more information on revoking/accepting user consent, see Configuring consent for services.
Disabling consent management for SSO
You can disable consent management for the product using the following global configuration (applies to all tenants). Once consent management is disabled, the user will not be prompted to provide consent during authentication.
identity.xml file found in the in
<IS_HOME>/repository/conf/identity directory. Locate the
<Consent> tag and set the following property to false.
To re-enable consent management for SSO, you can set the above configuration to true.