Page created: 22 Jul 2020
|
Page updated: 12 Dec 2022
The Consent Service configuration is used to control authorization behavior and
determines where consent records are stored in the PingDirectory Server.
The service properties are configured with the dsconfig set-consent-service-prop
command. The consent service configuration script configures the consent service properties as follows:
$ bin/dsconfig set-consent-service-prop \
--set enabled:true \
--set base-dn:ou=consents,dc=example,dc=com \
--set "bind-dn:cn=consent service account" \
--set unprivileged-consent-scope:urn:pingdirectory:consent \
--set privileged-consent-scope:urn:pingdirectory:consent_admin \
--set "consent-record-identity-mapper:User ID Identity Mapper"
The following are Consent Service properties.
Property | Description | Required to enable service |
---|---|---|
enabled | If set to true, enables the Consent Service for handling client requests. | Yes |
base-dn | Specifies a container DN for consent record entries. | Yes |
bind-dn | Specifies an internal service account used by the Consent Service to perform LDAP operations. | Yes |
service-account-dn | Specifies one or more DNs of requesters that will be considered privileged when using basic authentication. If not defined, a requester will only be considered privileged if it is mapped to a DN with the bypass-acl privilege. Optional. | No |
unprivileged-consent-scope | Specifies the name of the scope required for bearer tokens representing unprivileged requesters. | Yes |
privileged-consent-scope | Specifies the name of the scope required for bearer tokens representing privileged requesters. | Yes |
consent-record-identity-mapper | Specifies one or more identity mappers used to map consent record subject and actor values to DNs. By default, these values are inferred from the authentication context, such as the bearer token subject. Optional. | No |
audience | Specifies an audience claim value that the Consent Service will require to be present in bearer tokens that it accepts. Optional. | No |
For the Consent Service to report itself as available to clients, the following must be true:
- The Consent Service must be enabled.
- The Consent Service base DN must be configured and must exist.
- The internal service account must be configured and must exist.
- The internal service account must have the right to read, add, modify, and delete entries under the Consent Service base DN.