IBM Security Verify

 View Only

Configuring EULA in OpenID Connect Application for Pre-Login Consent

By Sameer Kapadia posted Sun January 28, 2024 09:48 PM

  

Co-Authored By Tushar Prasad

Imagine an application where users are required to acknowledge and agree to an End-User License Agreement (EULA) before gaining access to the services it offers. IBM Security Verify SaaS takes user privacy and consent seriously, offering a streamlined experience for Administrators and/or Application Owners to effortlessly configure EULAs or specify data purposes for any of their OpenID Connect applications.

With IBM Security Verify SaaS, Application Owners have the flexibility to request consents for EULAs and/or data purposes, in addition to the standard OpenID Connect scopes or any other custom request parameters, ensuring a comprehensive approach to user consent. This article aims to guide you through the process of seamlessly integrating data privacy and consenting capabilities, allowing users to agree to terms of use before logging into your OpenID Connect Applications. Learn how to record user consent and implement appropriate actions for their next login, enhancing the overall privacy and security of your application.

Workflow:

GOAL:

Ask consent for EULA before logging in OpenID Connect application.

Here is an example of a consent page displayed to end-users when the EULA is configured within the OpenID Connect application

Assumed Knowledge:

Able to create and configure OpenID Connect Application in Security Verify SaaS.

Configuring EULA in Security Verify SaaS:

1. Tenant Admin or Privacy Officer logs into the Security verify tenant - https://<TENANT>/ui/admin

2. Create your first EULA:

3. Publish the EULA

Configuring OpenID Connect Application in Security Verify SaaS:

 * This blog assumes you've already created an OIDC application on the tenant. The following steps will guide you through configuring the application to leverage the EULA feature.

Attaching EULA:

Alongside EULA, you can also include data purposes configured by the privacy officer or admins of the tenant. The steps for configuring both EULA and data purposes remain the same.

To know more about Data Purposes - https://docs.verify.ibm.com/verify/docs/privacy-and-consent 

Configuring Sign-On tab:

Application URL is the single sign-on initialization URL that is used to log in to the OpenID Connect relying party. When users access the application through this URL, they are redirected to Verify for authentication.

More details here - https://www.ibm.com/docs/en/security-verify?topic=ss-configuring-openid-connect-single-sign-in-custom-application

1.   Ensure that User Consent is set to Ask for Consent (Default option)

2.  For the sake of simplicity Restrict Custom Scopes is not selected here (Default is selected). If restrict custom scopes are selected then ensure that custom scopes are correctly configured or any scopes passed into the authorization request are not accepted.

Configuring scopes on relying party:

Scope configuration varies among applications. The example above for configuring scopes on IBM Security Verify Access is just illustrative, showcasing the required format for specifying EULA as a scope.

To configure EULA the format is “<eula_id>/.”  Where <eula_id> can be found at:

Security Verify Admin Console -> Data privacy & consent -> EULA agreements -> View EULA

Similarly, data purposes can be configured alongside EULA. For instance, if the application intends to utilize the user's email for promotional activities and seeks consent for such usage.

To configure data purpose the format is “<purpose_id>/<attribute>.<access_type>

User experience when end-user tries to login to an application:

End-users initiate login by accessing the application URL configured in the sign-on tab of the OIDC application within Security Verify SaaS.

Subsequently, users will be redirected to Security Verify for Single Sign-On.

This article showcases a straightforward integration of IBM Security Verify's data privacy and consenting features with OpenID Connect Application Single Sign-On, providing a clearer understanding of these crucial functionalities. Lastly, taking a step further, application owners can easily configure data purposes alongside EULAs with their applications.

0 comments
22 views

Permalink