WORK IN PROGRESS.....
The terms of use part of the consent module in version 3 of the IdP software is a simple way to comply with the AL1 & AL2 acceptable use policy criteria. This HowTo describes how to implement this module for SWAMID IdPs. It assumes that you already have a working IdP. We strongly recommend using the IdP installer.
The terms of use part of the consent module requires an additional database storage service in order to store terms of use records. This is in addition to the persistent id table created by the IdP installer.
Configure a storage service
The full instructions are at https://wiki.shibboleth.net/confluence/display/IDP30/StorageConfiguration. We are going to create a JPAStorageService.
Create an extra database (storageservice) and table (StorageRecords). We are using MySQL. Code for other databases is available at https://wiki.shibboleth.net/confluence/display/IDP30/StorageConfiguration#StorageConfiguration-JPAStorageService. Here is the MySQL table definition:
CREATE TABLE `StorageRecords` (
`context` varchar(255) NOT NULL,
`id` varchar(255) NOT NULL,
`expires` bigint(20) DEFAULT NULL,
`value` longtext NOT NULL,
`version` bigint(20) NOT NULL,
PRIMARY KEY (`context`,`id` )
http://brettwooldridge.github.io/HikariCP/<bean id="shibboleth.JPAStorageService.EntityManagerFactory"
class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="persistenceUnitName" value="storageservice" />
<property name="packagesToScan" value="org.opensaml.storage.impl" />
<property name="dataSource" ref="shibboleth.JPAStorageService.DataSource" />
<property name="jpaVendorAdapter" ref="shibboleth.JPAStorageService.JPAVendorAdapter" />
<property name="jpaDialect">
<bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" />
</property>
</bean>
<bean id="shibboleth.JPAStorageService.JPAVendorAdapter"
class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
<property name="database" value="MYSQL" />
</bean>
<bean id="shibboleth.JPAStorageService.DataSource"
class="com.zaxxer.hikari.HikariDataSource" destroy-method="close" lazy-init="true"
p:driverClassName="com.mysql.jdbc.Driver"
p:jdbcUrl="jdbc:mysql://localhost:3306/storageservice"
p:username="shibboleth"
p:password="XXXX" />
Configure the consent module
Full instructions available at https://wiki.shibboleth.net/confluence/display/IDP30/ConsentConfiguration#ConsentConfiguration-TermsOfUseConsent
To enable terms of use consent, edit the conf/relying-party.xml and change:
<bean parent="Shibboleth.SSO" /><bean parent="SAML2.SSO" /><bean parent="Shibboleth.SSO" p:includeAttributeStatement="true" p:postAuthenticationFlows="terms-of-use" />
<bean parent="SAML2.SSO" p:postAuthenticationFlows="terms-of-use"/>
The default configuration for the IdP is a per-SP terms of use. That is, that the terms of use are only displayed when the user visits a specific relying party. That may be correct configuration for you, but here we are going to change it so that the terms of use are displayed regardless of which relying party is visited first.
Configure terms of use messages in messages/consent-messages.properties. Change to a "site-wide" configuration like this:
kau-tou = kau-tou-1
kau-tou-1.title = Allmänna regler för all användning av användarkonton och datornät vid...
kau-tou-1.text = Användning av [ORGANISATION] datornät syftar till att underlätta \
and update the text to suit your needs. Use the SWAMID template Acceptable Use Policy for inspiration!
To configure a single terms of use page for every relying party, override shibboleth.consent.terms-of-use.Key in conf/intercept/consent-intercept-config.xml. Change:
<alias alias="shibboleth.consent.terms-of-use.Key" name="shibboleth.RelyingPartyIdLookup.Simple" />
to
<bean id="shibboleth.consent.terms-of-use.Key" class="com.google.common.base.Functions" factory-method="constant">
<constructor-arg value="kau-tou"/>
</bean>