PingDirectory

General Consent Service configuration

The Consent Service configuration is used to control authorization behavior and determines where consent records are stored in the PingDirectory server.

You configure the Consent Service properties using the dsconfig set-consent-service-prop command. You can use the Consent Service configuration script to configure the Consent Service properties, as show in the following example.

$ bin/dsconfig set-consent-service-prop \
  --set enabled:true \
  --set base-dn:ou=consents,dc=example,dc=com \
  --set "bind-dn:cn=consent service account" \
  --set unprivileged-consent-scope:urn:pingdirectory:consent \
  --set privileged-consent-scope:urn:pingdirectory:consent_admin \
  --set "consent-record-identity-mapper:User ID Identity Mapper"
Consent Service properties
Property Description Required to enable service

enabled

If set to true, the property enables the Consent Service for handling client requests.

Yes

base-dn

Specifies a container distinguished name (DN) for consent record entries.

Yes

bind-dn

Specifies an internal service account used by the Consent Service to perform LDAP operations.

Yes

service-account-dn

Specifies one or more DNs of requesters that are considered privileged when using basic authentication.

If not defined, a requester is only considered privileged if it’s mapped to a DN with the bypass-acl privilege.

No

unprivileged-consent-scope

Specifies the name of the scope required for bearer tokens representing unprivileged requesters.

Yes

privileged-consent-scope

Specifies the name of the scope required for bearer tokens representing privileged requesters.

Yes

consent-record-identity-mapper

Specifies one or more identity mappers used to map consent record subject and actor values to DNs.

By default, these values are inferred from the authentication context, such as the bearer token subject.

No

audience

Specifies an audience claim value that the Consent Service requires to be present in bearer tokens that it accepts.

No

For the Consent Service to report itself as available to clients:

  • The Consent Service must be enabled.

  • The Consent Service base DN must be configured and must exist.

  • The internal service account must be configured and exist.

  • The internal service account must have the right to read, add, modify, and delete entries under the Consent Service base DN.