User Data Privacy Protection

SiX IDaaS & IAM implements a Privacy-by-Design framework for both platform-native and federated Identity Providers (IdPs). This framework empowers granular data governance through the use of OAuth 2.0 scopes, ensuring that client applications can only access user data that has been explicitly authorized and consented to.

Enforcing the Consent Process

To ensure users have full transparency over their shared data, administrators can enable a formal consent workflow during the client integration process.

1. Configure the OAuth Client

During OAuth client registration in the SiX IDaaS & IAM Console, administrators can activate the "Require explicit authorization consent?" option.

When enabled, the IdP will intercept authentication requests and present a formal authorization prompt to the user, listing every individual scope (data attribute) the application is requesting.

2. User Authorization Prompt

Once the configuration is active, users will be presented with a consent screen during their first login to a specific application. This allows users to review and approve the specific data points—such as email, profile info, or custom attributes—being shared.

3. JWT Claims Validation

To maintain the integrity of the privacy framework, the IdP ensures that user data is only delivered via the JWT Scopes Claim.

Best Practice for IdP Owners: To maintain a high standard of privacy, IdP administrators must configure the system to strictly sanitize all outgoing tokens. The Identity Provider (IdP) is responsible for ensuring that the requested user info contains only the specific user profile attributes that correspond to the scopes explicitly approved by the user during the consent step.