OneTrust Connector
The OneTrust connector lets you use OneTrust to manage receipts for user consent in your PingOne DaVinci flow.
Using OneTrust as part of your user privacy and data governance solution, this connector lets you track whether a user has consented to a specific document, such as your terms and conditions. Specifically, the connector can create a consent receipt or get an existing consent receipt.
Setup
Resources
For information and setup help, see the following:
-
OneTrust documentation (sign on required)
-
DaVinci documentation:
Setting up OneTrust consent management
-
Set up consent management in OneTrust as shown in Consent Management.
For your Collection Point, use the following settings:
-
Choose the Custom API type.
-
On the Collection Points → <your collection point> → Settings tab, turn on Enable Consent Withheld Transactions on this Collection Point.
-
-
Create client credentials as shown in Managing OAuth 2.0 Client Credentials, with the following settings:
-
Access Token Lifetime: 1 hour
-
Restrict IP Addresses: Off
-
Scopes:
-
CONSENT
-
CONSENT_READ
Note your client ID and secret. You’ll use them to set up the connector configuration.
-
-
Configuring the OneTrust connector
Add the connector in DaVinci as shown in Adding a connector, then configure it as follows.
Connector configuration
Client ID
The client ID you created in Setting up OneTrust consent management.
Client Secret
The client secret you created in Setting up OneTrust consent management.
Setting up PingOne
The example flows below use the PingOne user directory to store consent receipts. To use the provided flow templates:
-
If you don’t have an existing PingOne connection in DaVinci, set up the PingOne connector, including the required PingOne setup.
-
In PingOne, add a user attribute to hold a list of the user’s consent receipts. For help, see Adding user attributes. Use the following details:
-
Attribute Type: JSON
-
Name:
consentReceipts
-
Select Allow multiple values
-
Setting up OneTrust URL variables in DaVinci
The flow templates provided below use variables to populate your organization’s OneTrust URLs.
To use the flow templates, set the following variables in DaVinci.
For help, see Adding a variable in the DaVinci documentation. |
Name | Variable Context | Data Type | Example Value |
---|---|---|---|
|
string |
company |
https://yourorganization-privacy.my.onetrust.com |
|
string |
company |
https://yourorganization.my.onetrust.com |
|
string |
company |
https://yourorganization-privacy.my.onetrust.com |
Using the connector in a flow
Creating a consent receipt
This flow collects the user’s consent and user ID, checks that the user account exists, and sends the consent and user information to OneTrust. After OneTrust generates a consent receipt, the flow adds the new receipt to the user’s list of existing receipts and updates the user account in include::partial$common_product_keydefs.adoc[tags=pingone].
This flow uses include::partial$common_product_keydefs.adoc[tags=pingone]as an example user directory. You can modify the flow to use a different directory. |
-
Download the OneTrust - New consent receipt flow template. For help, see Using DaVinci flow templates.
-
Customize the consent form:
-
Select the Consent Form node.
-
In the HTML Template field, modify the HTML to include the text of the terms and conditions (or other document) that you want consent for, and modify the example form controls to show the relevant "purposes", "options", and "custom preferences" in your OneTrust consent management scheme.
-
Click Switch View to see the HTML formatted with syntax highlighting.
-
Click the Maximize () icon to give yourself more room to work.
-
To access a variety of useful tools, right-click the field when you’re in syntax highlighting mode (dark background).
-
-
In the Output Fields List section, edit the Property Name of the purposes, options, and custom preferences to match the element IDs of the purposes and options you included in the HTML form. Remove any unwanted properties by clicking Edit at the end of the list.
-
Click Apply.
-
-
Add the IDs for your OneTrust purposes, options, and custom preferences.
The flow uses a custom function to match the consent form inputs with the IDs of your OneTrust consent management elements. The function then builds a
purposes
object that is ready to send to OneTrust.-
In OneTrust, get the
id
value for each purpose, option, and custom preference you want to use:-
Go to the OneTrust Universal Consent & Preference Management portal. For example,
https://company.my.onetrust.com/consent
. -
For purposes, see Purposes → <your purpose> → Details → Purpose ID.
-
For custom preferences, see Purposes → <your purpose> → Custom Preferences → ID. Also, go to Options and note the options listed.
-
For options, see Collection Points → <your collection point> → Integrations → Example Payload. Match the IDs under
Options
with the options that you noted in the Custom Preferences view.
-
-
Select the Combine Form Results node.
-
In the Variable Input List section, edit the Variable Name of the purposes, options, and custom preferences to match the Property Name in your Consent Form node. In the Value field, click {} and select the matching variable from your Consent Form node. Remove any unwanted properties by clicking Edit at the end of the list.
-
In the Code field, modify the code to use the name and ID of your own purposes, options, and custom preferences and remove unused elements.
-
Click Apply.
-
-
Configure the OneTrust node:
-
Select the OneTrust node.
-
In the API Token field, enter the API token from Collection Points → Integrations → Your API Token in OneTrust.
-
Modify the Additional Data Elements list to reflect the data elements you included when configuring your collection point in OneTrust. To see the data elements, go to Collection Points → Details → Configuration → Data Elements.
-
Click Apply.
-
-
Test the flow:
-
Click Save, Deploy, then Run.
-
On the consent form, enter the email address for one of the identities in your include::partial$common_product_keydefs.adoc[tags=pingone] directory, select the purposes, options, and custom preferences, then click I Agree.
-
See the resulting consent receipt, including the receipt ID.
Note the value of
x-onetrust-receiptId
. You’ll use this to test the "Get information about an existing consent receipt" use case below.
-
Getting information about an existing consent receipt
You can use a receipt ID to check for an existing consent receipt in OneTrust. This allows you to check whether a user has consented to your terms before using your service, for example.
-
Download the OneTrust - Consent receipt retrieval flow template. For help, see Using DaVinci flow templates.
-
Test the flow:
-
Click Save, Deploy, then Run.
-
In the Enter Receipt ID form, enter the receipt ID that you copied from your test run of the Creating a consent receipt flow. Click Next.
-
See the receipt information.
-
Capabilities
Create Consent Receipt
Create Receipt from a Collection Point
Show details
Properties
- Privacy Portal Domain
textField
required
-
The URL of your OneTrust Privacy Portal, such as "https://company-privacy.my.onetrust.com".
- API Token
textField
required
-
Your OneTrust API token.
- User Identifier
textField
required
-
The unique identifier for the user, such as a username or user ID.
- Additional Data Elements
keyValueList
-
Additional information collected about the user.
- Purposes
textField
required
-
The flow variable that contains the “purposes” to associate with the consent.
Input Schema
- default
object
-
- privacyPortalDomain
string
required
- privacyPortalDomain
Data Subject Portal Domain
- apiToken
string
required
-
API Token
- userIdentifier
string
required
-
User identifier
- dataElements
array
required
-
Data Elements
- items
array
- type
object
-
- purposes
string
required
- purposes
- Output Schema
- output
object
-
- rawResponse
object
- properties
object
- rawResponse
- access_token
string
- refresh_token
string
- id_token
string
- token_type
string
- expires_at
number
-
- statusCode
number
- headers
object
- claims
object
- properties
object
- statusCode
- moc
string
- sub
string
- attachments
- notes
- syncGroup
- iss
- language
- processVersion
number
- enableParentPrimaryIdentifiers
boolean
- authenticationRequired
boolean
- dynamicCollectionPoint
boolean
- processId
string
- dsDataElements
array
- items
array
- type
string
- doubleOptIn
boolean
- consentType
string
- additionalIdentifiers
object
- iat
string
- customPayload
- jti
string
- policy_uri
- identifier
string
- parentPrimaryIdentifiersType
- gacString
- tcStringV2
- reconfirmActivePurpose
boolean
- allowNotGivenConsents
boolean
- notices
array
- isAnonymous
boolean
- multipleIdentifierTypes
boolean
- purposes
array
- items
array
- type
object
- properties
- tenantId
string
- overrideActivePurpose
boolean
- parentPrimaryIdentifiers
array
- otJwtVersion
number
- enableGeolocation
boolean
Get Receipt Information
Get Receipt Information
Show details
Properties
- Application Domain
textField
required
-
The URL of your OneTrust domain, such as "https://company.my.onetrust.com".
- Receipt ID
textField
required
-
The flow variable that contains the unique identifier for the consent receipt.
- Include "Consent Not Given" Transactions
toggleSwitch
-
When enabled, OneTrust returns results for transactions where the user did not provide consent.
Input Schema
- default
object
-
- applicationDomain
string
required
- applicationDomain
Application Domain
- clientId
string
required
-
Client ID
- clientSecret
string
required
-
Client Secret
- receiptId
string
required
-
Receipt ID
- includeNotGiven
boolean
required
-
Include Not Given Transactions
Output Schema
- output
object
-
- collectionPointName
string
- attributes
object
- collectionPointType
string
- collectionPointUUID
string
- collectionPointVersion
number
- consentCreationDate
string
- customPayload
string
- dataSubjectIdentifier
string
- dataSubjectIdentifierHash
string
- doubleOptIn
boolean
- unsubscribeAll
boolean
- id
string
- interactionDate
string
- isAnonymous
boolean
- language
string
- origin
string
- otJwtVersion
number
- purposes
array
- items
array
- collectionPointName
- type
object
- properties
-
- receiptJwt
string
- test
boolean
- receiptJwt