Consent Management in WSO2 Identity Server
Nowadays data privacy has gained a massive attention and crucial value which results to have many data regulations for users to take the ownership of their own data to control how businesses utilizing those data. Therefor to accommodate this increased user awareness, businesses needs to provide significant transparency towards collecting the consumer data and the way those data going to be used. At this point, consent management steals the spotlight which defines the strategy to gain the consumer’s consent to manage, use, store or share the consumer’s data. Through this blog, I’m going to explore how the WSO2 Identity server provides consent management.
First thing first, let’s get to know how the GDPR defines ‘consent’.
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
Ok ok :) I will simplify the definition for you… That demands to give the consent freely with a genuine choice which is specific about its purpose. Furthermore, consent should be clearly informed in a way that the subject understands what exactly is being shared and for what purpose. Moreover, the particular responsible party should ask the consent from the consumer by a statement or by a clear affirmative action.
Before moving into the details, you need to know how you going to be benefited from the consent management
- Prevents losses due to non-compliance penalties and lawsuits.
- Seamlessly integrates compliance and consent best practices within your web/mobile applications.
- Helps you stay ahead of the curve as newer regulations are announced, or existing ones are updated.
- Provides your customers with a platform to provide consent and manage the disclosure of their personal data.
- Manages consent data to be business and audit-ready in near real-time.
The WSO2 IS consent management module which complies with the Kantara Consent Receipt Specification, provides the following key features.
- Consent Management REST APIs.
- Users can manage the already given consents through the MyAccount portal by reviewing, modifying, and revoking the given consent.
- Organizations can define and manage consent, data processing purposes, and user attributes per consent through Admin Portal.
- Collects consent during single sign-on (SSO) before sharing the user data with applications.
Let’s get familiar with the following terms which are commonly used in consent management.
- Personally Identifiable Information (PII): Any information that can be used to identify the PII Principal to whom the information relates.
- PII Principal: The natural person to whom the personally identifiable information (PII) relates.
- Consent: A Personally identifiable information (PII) Principal’s freely given, specific, and informed agreement to the processing of their PII.
- Purpose: The business, operational or regulatory requirement for the collection, use, and/or disclosure of a PII Principal’s data. In other words, it is the reason personal information is collected by the entity.
- Consent Receipt: A record of a consent interaction (or consent record summary linked to the record of the consent) provided by a PII Principal to a PII Controller to collect, use and disclose the PII Principal’s PII in accordance with an agreed set of terms.
- PII Controller: A private stakeholder that determines the purposes and means for processing personally identifiable information (PII) other than the natural persons who use data for personal purposes.
- PII Processor: A private stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII controller.
Consent management use cases
WSO2 IS supports the following consent management use cases.
- Handling consent when creating a new user profile
When creating a user profile through self sign up process, the purpose for collecting consent will be shown to users as consents along with the user attributes for each purpose where the users have the capability to selectively opt-in/opt-out those purposes. WSO2 IS the MyAccount user portal that can be used by the users to review or revoke the given consent.
- Handling consent when sharing user attributes
The organization’s administrator can define purposes, as well as the user, attributes on a service provider using the WSO2, IS admin console, or via APIs. During the SAML SSO and OpenID Connect SSO flows, the consent screen will be prompted for the users. Here also users can review or revoke the given consent through WSO2 IS My Account portal.
- Manage consents that belong to third-party applications
- Support for Kantara consent receipt (draft) specification
Consent Management APIs
As mentioned earlier, WSO2 identity Server supports REST APIs that comply with consent receipt specifications for consent management. The implementation can be found here and see Consent Management APIs Swagger Documentation. The REST APIs can be customized using the following extension points:
Managing Consent Purposes
When sharing user attributes with external applications for the single sign-on authentication flow, the DEFAULT purpose is used by the WSO2 IS resident identity provider which acts as the IDP for SSO authentication. This DEFAULT purpose includes all the PII categories. Check Consent Management with a single sign-on, for more information. Also, check Managing Consent Purposes to get to know about how consent purposes can be added using the management console.
Consent management flow for SSO
- Through the service provider configurations, the identity admin can configure claims for a service provider by specifying the requested and mandatory claims to accommodate the user information required by the application. The configured user attributes are prompted to the user asking the consent while SSO.
Requested Claims — The claims that are requested by the service provider. Mandatory Claim —The claims that definitely require a value to send to the service provider. When the user logins to the application, if there is no value set to the mandatory claim, the user will be prompted to provide a value.
- As shown below, the user is asked the consent for the requested personal information to share with the service provider while the user is authenticated for the particular application.
- Based on the user’s preference, he/she can give consent for the attributes to share with the service provider and can deny the consent for some claims accordingly.
- Then WSO2 IS will store the consent in relation to the user and the application after the user gives his/her consent. After that, the user will not be asked for consent again unless the user has revoked consent for the application or the application requires other claims that the user has not consented to previously.
Manage Consent via My Account portal
Users can manage the already given consent through the My Account portal. As shown in the following image, the user can revoke the already given consent for the personal details that he/she has agreed to share or can revoke the given consent for the application which will remove the consent for all the user attributes.
Disabling consent management for SSO
In case, if it was required to disable consent management for the product, the following configuration needs to be added to deployment.toml the file found the in <IS_HOME>/repository/conf/ directory which applies to all tenants. After you disable the consent management, consent will not be asked from the user during authentication.
[authentication.consent]
prompt= falseIf it is required to disable the consent during the login and logout flow separately per service provider, you can disable it through the Service Provider configurations. Put a tick to “Skip Login Consent” and “Skip Logout Consent” under the ‘Local & Outbound Authentication Configuration’ section according to your requirement.
Hope now you have a better understanding of WSO2 identity Server Consent Management :)
