...
Consent life cycle management
According to GDPR, the consent is defined as “Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. WSO2 IS fully supports for consent management in the context of IS activities and can be used to manage consents from 3rd party applications via secure RESTful consent management API.
When IS is acting as the Identity Provider(IdP), all the user attributes sharing (usually as security tokens such as SAML, IDToken, JWT etc.) with service providers (SP) are based on user consent.
- Gets user consent when IS is storing user attribute profiles based on self-sign up portal or security token received from a federated identity provider.
IS user portal facilitates users to review the already given consents and revoke them, if necessary.
Secure RESTful consent management API can be used to integrate read, modify, and delete consents managed by IS.
- Secure RESTful consent management API facilitates using of IS as the consent lifecycle management solution for 3rd party applications such as web and mobile applications.
Consent receipt specification (draft)
WSO2 IS also support for Consent Receipt Specification draft from Kantara Initiative.
Right to be forgotten
This is one of the most important individual rights defined in GDPR. In simple terms, an individual can request to complete removal his/her their personal data from the processing organizations. According to GDPR, unless there is a clear and valid legal background, processing organizations should fulfill such forget me requests.
WSO2 IS provides out of a box privacy toolkit to remove all identify data from related databases and log files. This toolkit can be run manually by organization administrators or can be automated so that whenever a user profile gets deleted from the system, all the related PII data gets removed from the system.
By considering performance overhead and automation flexibility, this privacy toolkit is run separately from IS runtime. The privacy toolkit is not just limited to the current version of IS rather, it can be used with any new or old WSO2 platform product. Please note that, for older versions of WSO2 products, it is required to download WSO2 Privacy Toolkit from here separately.
When it comes to Right to be forgotten, IS supports the following features:
- Delete the user by “Identity Admin” of the tenant. This will remove the user from any underlying “Read/Write” user store (JDBC/LDAP/AD).
- Anonymize any retained traces of the user activity.
- Log Files
- Analytics data, related to Login, Session, Key Validation, etc.
- Key/Token data held at the Database layer.
- Delete any unwanted data retained in the Database(due to performance reasons)
- Token(s) issued,
- Password History information.
Additionally, WSO2 Privacy Toolkit can be extended to clear privacy data in any relational database or any textual log file but that is out of the scope of this document.
| Info |
|---|
For more information on the topic, refer Removing References to Deleted User Identities |
Exercising individual rights
GDPR defines a set of strong individual rights that every data processing organization should facilitate for their users. The Self-care User Portal available with the WSO2 Identity Server is equipped to exercise these individual rights by users themselves. Any organization that deploys WSO2 IS, will have Self-care User Portal by default.
Following features are supported as part of Self-care User Portal:
- The right of transparency and modalities - Personal data processing activities carried out by the organization, their purposes, and time-limits and what data are stored can be made transparent to users via the IS Self-care User Portal.
- The right of access - Via the IS Self-care User Portal, users can access and review what personal data are stored in the processing organization.
- The right to rectification - Individuals can rectify incorrect data on their user profiles by themselves by logging into Self-care User Portal.
- The right to restrict processing - Individuals can make restrictions on their user profiles by themselves by logging into Self-care User Portal. Generally, this is done through by revoking an already given consent but can be extended to other usages as well.
- The right to be forgotten - Individuals can remove their profile data or can be extended to send forget-me requests via the Self-care User portal.
- The right for notification obligation - The Self-care User Portal can be extended to act as the notification center for individuals.
- The right to data portability - Individuals can download their user profile in a structured, commonly used and machine-readable JSON document format through the Self-care User Portal.
- The right to object - The Self-care User Portal can be extended to act as a communication channel to make objections on processing.
- Rights in relation to automated decision making and profiling - The Self-care User Portal can be extended to act as a communication channel to make objections on automated decision making and profiling.
Following additional features are also supported in IS Self-care User portal.
- Revoking consent for all or specific attributes
- Giving an expiry date for a consent
Personal data portability
Ability to download individual’s user profile as a structured, commonly used and a machine-readable format is a requirement of GDPR. In WSO2 IS, it is possible to use one of the following options to download user profile as a structured JSON document.
By logging into Self-care User Portal
Invoking personal data export API(secure RESTful API)
Additionally, GDPR encourages to facilitate user profile provisioning from the data processing organization to another organization based on individuals requests automatically. SCIM 2 API supported in WSO2 IS can be used to fulfill this requirement.
Personal data protection
WSO2 IS is subjected to regular reviews and updates for latest versions of the crypto algorithm and latest versions of crypto frameworks. These security updates are provided as WSO2 WUM service. Additionally, a number of data encryption and protection features are supported by WSO2 IS.
Supported encryption features for personal data:
OAuth2 Access token
OAuth2 Refresh token
OAuth2 Authorization
ID Tokens
- SAML Responses
Supported hashing features for personal data:
- User credentials
GDPR also mandates processing organizations to make sure only authorized people from the stuff based on “need to know” basic can access to user profile data from individuals. Access control features supported in WSO2 IS such as role-based access control (RBAC), attribute-based access control can be used to cater this requirement.
| Info |
|---|
For more information on Role-based Access control, Attribute-based Access Control, and XACML, refer Access Control and Entitlement page. |
The cookies used
WSO2 Identity Server uses cookies to provide a good user experience. Check out the following cookies:table for details.
| Cookie Name | Purpose | Retention |
|---|---|---|
JSESSIONID | This |
maintains the session data in order to provide a good user experience. | Session |
MSGnnnnnnnnnn | This |
maintains some messages that are shown to you in order to provide a good user experience. The “nnnnnnnnnn” reference in this cookie represents a random number, e.g., MSG324935932. | Session | |||
requestedURI | This is the URI you are accessing. | Session | ||
current-breadcrumb | This is to keep your active page in session in order to provide a good user experience. | Session | ||
| commonAuthId | This identifies the user session.
| Session | ||
| obps | This is to maintain the browser state and to store the OIDC sessions. | Session |