Terms of use module in Shibboleth IdP


The terms of use part of the consent module in the IdP software is a simple way to comply with the AL1, AL2 & AL3 acceptable use policy criteria. This HowTo describes how to implement this module for SWAMID IdPs. It assumes that you already have a working IdP. We strongly recommend using the IdP installer.

The terms of use part of the consent module requires an additional database storage service in order to store terms of use records. This is in addition to the persistent id table created by the IdP installer. 

Configure a storage service

Instructions for configuring the storage service can be found at JPA Storage Service

Configure the consent module

Full instructions available at https://wiki.shibboleth.net/confluence/display/IDP30/ConsentConfiguration#ConsentConfiguration-TermsOfUseConsent

To enable terms of use consent, edit the conf/relying-party.xml and change:

<bean parent="Shibboleth.SSO" />
<bean parent="SAML2.SSO" />

to

<bean parent="Shibboleth.SSO" p:postAuthenticationFlows="terms-of-use" />
<bean parent="SAML2.SSO" p:postAuthenticationFlows="terms-of-use"/>

The default configuration for the IdP is a per-SP terms of use. That is, that the terms of use are only displayed when the user visits a specific relying party. That may be correct configuration for you, but here we are going to change it so that the terms of use are displayed regardless of which relying party is visited first. 

Configure terms of use messages in messages/consent-messages.properties. Change to a "site-wide" configuration like this:

kau-tou = kau-tou-1
kau-tou-1.title = Allmänna regler för all användning av användarkonton och datornät vid...
kau-tou-1.text = Användning av [ORGANISATION] datornät syftar till att underlätta \

and update the text to suit your needs. Use the SWAMID template Acceptable Use Policy for inspiration!

To configure a single terms of use page for every relying party, override shibboleth.consent.terms-of-use.Key in conf/intercept/consent-intercept-config.xml. Change:

<alias alias="shibboleth.consent.terms-of-use.Key" name="shibboleth.RelyingPartyIdLookup.Simple" /> 

to

<bean id="shibboleth.consent.terms-of-use.Key" class="com.google.common.base.Functions" factory-method="constant">
  <constructor-arg value="kau-tou"/>
</bean>

 Configure idp.properties to use the storage service

idp.consent.StorageService = shibboleth.JPAStorageService
idp.consent.maxStoredRecords = -1
idp.consent.storageRecordLifetime = P1Y (default 1 year)
  • No labels