summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorMikaël Ates <mates@entrouvert.com>2011-12-14 18:33:22 (GMT)
committerMikaël Ates <mates@entrouvert.com>2011-12-14 18:33:22 (GMT)
commit2e5bf62fb78306fc7915e3c13f1555fac94e53b2 (patch)
tree2f11e190d2b2e4bd1dc37b69c3fbf30634cc33af /doc
parent80b468344e96b62a63d5dc15119d3f9ad382988e (diff)
downloadauthentic-2e5bf62fb78306fc7915e3c13f1555fac94e53b2.zip
authentic-2e5bf62fb78306fc7915e3c13f1555fac94e53b2.tar.gz
authentic-2e5bf62fb78306fc7915e3c13f1555fac94e53b2.tar.bz2
[doc] Consent management doc page.
Diffstat (limited to 'doc')
-rw-r--r--doc/attribute_management.rst3
-rw-r--r--doc/consent_management.rst84
-rw-r--r--doc/index.rst2
-rw-r--r--doc/pictures/attributes_consent.pngbin0 -> 96399 bytes
-rw-r--r--doc/pictures/federation_consent_idp.pngbin0 -> 71081 bytes
-rw-r--r--doc/pictures/federation_consent_sp.pngbin0 -> 96436 bytes
6 files changed, 89 insertions, 0 deletions
diff --git a/doc/attribute_management.rst b/doc/attribute_management.rst
index 93b6ac3..b095d41 100644
--- a/doc/attribute_management.rst
+++ b/doc/attribute_management.rst
@@ -22,6 +22,9 @@ the user session.
Attributes can thus be proxyfied during SSO with Authentic2
configured as a SAML2 proxy.
+*If there is no attribute policy associate with a service provider, no
+attribute is forwarded to it.*
+
The namespace of attributes received from another SAML2 IdP and of attributes
pushed in the assertion given to service providers can be configured per
attribute or per service provider.
diff --git a/doc/consent_management.rst b/doc/consent_management.rst
new file mode 100644
index 0000000..f082bd4
--- /dev/null
+++ b/doc/consent_management.rst
@@ -0,0 +1,84 @@
+.. _consent_management:
+
+================================
+Consent Management in Authentic2
+================================
+
+What is the SAML2 federation consent aka account linking consent?
+=================================================================
+
+At the first single sign on process on the identity provider side, the user
+may be asked if she agrees to federation its local account with the remote
+account on the service provider side.
+
+The account linking also called a federation means that the nameID is
+persistent and will link the two accounts. This signed identifier allows to
+the service provider to login the user without reauthentication during the
+following single sign on process.
+
+How the consent is collected is determined by the identity provider. The
+service provider receives in the authnRequest the consent attribute
+indicating how the user consent was managed.
+
+
+Account linking consent management on the identity provider side
+================================================================
+
+The consent is managed per service provider according to the options policy
+that applies to the service provider.
+
+The parameter 'Ask user for consent when creating a federation' determine
+if the user consent must be asked to the user.
+
+.. image:: pictures/federation_consent_idp.png
+ :width: 800 px
+ :align: center
+
+*Take care that is the identity provider provides the service provider with
+a transient nameID, there is no account linking, so there is no need for a
+consent.*
+
+*The user consent is only asked once. In other words, if the user already has
+a federation, the consent won't be asked anymore.*
+
+If the policy requires the user consent, this can be bypassed using the signal
+'avoid_consent'.
+
+Account linking consent management on the service provider side
+===============================================================
+
+The service provider may refuse a valid single sign on if the user consent
+was not asked.
+
+The parameter 'Require the user consent be given at account linking' of the
+identity provider options policy determine the service provider behavior.
+
+.. image:: pictures/federation_consent_sp.png
+ :width: 800 px
+ :align: center
+
+How manage attribute forwarding consent?
+========================================
+
+*If there is no attribute policy associate with a service provider, no
+attribute is forwarded.*
+
+When an attribute policy applies you can configure the consent rules per
+service provider.
+
+The choices are:
+
+- Don't ask the user consent
+- Ask the consent in all-or-nothing mode
+- Allow attribute selection
+
+To ask the user consent, tick the parameter 'Ask the user consent before
+forwarding attributes' of the attribute policy that applies to the service
+provider.
+
+To allow the attribute selection on the attribute consent page, tick the
+parameter 'Allow the user to select the forwarding attributes'.
+
+.. image:: pictures/attributes_consent.png
+ :width: 800 px
+ :align: center
diff --git a/doc/index.rst b/doc/index.rst
index e3c5d90..ced4366 100644
--- a/doc/index.rst
+++ b/doc/index.rst
@@ -62,6 +62,8 @@ Documentation content
attributes_in_session
+ consent_management
+
Copyright
=========
diff --git a/doc/pictures/attributes_consent.png b/doc/pictures/attributes_consent.png
new file mode 100644
index 0000000..608335e
--- /dev/null
+++ b/doc/pictures/attributes_consent.png
Binary files differ
diff --git a/doc/pictures/federation_consent_idp.png b/doc/pictures/federation_consent_idp.png
new file mode 100644
index 0000000..e409540
--- /dev/null
+++ b/doc/pictures/federation_consent_idp.png
Binary files differ
diff --git a/doc/pictures/federation_consent_sp.png b/doc/pictures/federation_consent_sp.png
new file mode 100644
index 0000000..3e10616
--- /dev/null
+++ b/doc/pictures/federation_consent_sp.png
Binary files differ