PingDirectory

Example configuration scenarios

Review the following client application scenarios to determine how to configure the Consent Service to meet your business needs.

Directly managed consents

In this scenario, one or more client applications provide an interface for individuals to directly manage their own consent records. These applications can only manage consents for the currently authenticated user. In addition, there’s a client application for consent administrators.

An OAuth 2 authorization server grants access tokens that the applications use to access the Consent API.

Configuration for this scenario includes:

  1. Configure an OAuth 2 authorization server to issue a urn:pingdirectory:consent scope to individuals and a urn:pingdirectory:consent_admin scope to consent administrators.

  2. Create an identity mapper to map subject identifiers used by the authorization server to Lightweight Directory Access Protocol (LDAP) distinguished names (DNs) used by the PingDirectory server.

  3. Configure an access token validator to validate tokens issued by the OAuth 2 authorization server.

  4. Configure the Consent HTTP Servlet Extension to disable HTTP basic authentication and restart the HTTPS Connection Handler.

  5. Configure the Consent Service to use the OAuth scopes and token validator.

Indirectly managed consents (basic authentication)

In this scenario, an application uses a privileged service account to manage its users' consents. The application’s privileged account can access any consent record, which gives the application the ability to perform operations that an individual user can’t.

The following configuration steps describe the setup needed for the PingDirectory server’s Open Banking Account Requests service to use the Consent Service as its backend.

Configuration for this scenario includes:

  1. Create a service account for the application.

  2. Configure the Consent HTTP Servlet Extension to enable HTTP basic authentication and restart the HTTPS Connection Handler.

  3. Create an identity mapper to map the consent record subject and actor attribute values to LDAP DNs.

  4. Configure the Consent Service to use the application’s service account.

  5. Configure the Consent Service to use the identity mapper.