Understanding Federated Authentication and User Identity

Overview

Introduction

The University of Pittsburgh respects your privacy. We have implemented a set of information practices to ensure that it is maintained.

Using federated authentication with other systems, both inside and outside of the University, it may be necessary to store data in your browser using cookies or pass some information about you to the other website. Passing this information to the other site is either necessary to ensure an acceptable user experience or to perform the necessary function of that site.

Detail

Attributes

The Shibboleth Identity Provider has the ability to release selected information (called attributes) about a person to relying applications.

The University of Pittsburgh has joined the InCommon Federation. A federation is an agreement to a certain level of trust with other members of the federation. The federation provides a basic level of trust that can then be augmented by other criteria.

At this time, the University of Pittsburgh may provide the following user attributes to other members of the InCommon federation after a successful authentication:

• eduPersonPrincipalName: This is username@pitt.edu, where username has been replaced with the person's actual username. CDS is the authoritative source for username information. The username is pulled from the CDS username attribute. Then @pitt.edu is added to it.
• mail: This is the individual's advertised email address.
• eduPersonScopedAffiliation: The affiliation information is determined by the enterprise role associated with the individual in CDS. One or more of these values is/are returned: student, faculty, staff, employee, and member. CDS determines an individual's role based upon information provided by the payroll and student information systems.
  
  The table below shows how the individual's role at the University maps to the controlled-vocabulary values required by eduPersonAffiliation.

In addition to the controlled vocabulary choices, the schools or department(s) the person is affiliated with is added to the eduPersonScopedAffiliation attribute. The standard abbreviation concatenated with @pitt.edu for each school or department. The standard department abbreviation is determined from DED table T18205 for Schools and T18321 for Departments.

• displayName: This is displayName attribute for the user account. It is either set within CDS or calculated to be Lastname, Firstname. If the individual is excluded from the public directory, then the value for this "None."
• givenName: This is the individual's first name. If the individual is excluded from the public directory, then the value for this "None."
• sn: The individual's last name or surname. If the individual is excluded from the public directory, the value for this "None."
• eduPersonTargetedID: This is a unique string assigned by the Shibboleth service per user per service. It is made up of numbers, letters, and other characters and contains no personally identifiable information. It is used as an identifier when anonymous access is desired. For example, it can be used for accessing library resources where the SP needs to know that the person is entitled to access but wants it to be impossible to tell which library resources a particular person accessed. It is calculated by hashing the username and a salt value to produce a hash

Additional Attributes

Depending upon the use of the site, additional attributes may need to be released. A review process is in place within the University that includes the associated data stewards to ensure that this information is not release without sufficient cause. A list of Data Stewards is maintained on technology.pitt.edu.

Opting-Out

Students who have opted to not have their directory information shared under FERPA or have hidden their information from the online directory will not have their names sent to any Service Provider. Instead, the name fields will be populated with the word "unknown." For staff and faculty there is no option that users can set to create the same behavior. The only way to prevent sending a "mandatory" attribute is for a user to not use the service.

Cookies

A "cookie" is a piece of data stored on a user's hard drive containing information about the user. The Shibboleth Identity Provider uses cookies to keep track of whether the user has authenticated in the current browsers session. The cookie that is used is a session cookie, and it will be removed from the computer when all browser windows are closed. Cookies must be enabled for the Shibboleth system to work.

Server Logs

The Shibboleth Identity Provider is web application. The web server generally logs activity usage of our websites. Such logging includes, but is not limited to:

• Hostname - The hostname and/or IP address of the user/client requesting access.
• HTTP header, "user-agent" - The user-agent information includes the type of browser, its version, and the operating system it is running on.
• HTTP header, "referrer" - The referrer specifies the page from which the client accessed the current page.
• System date - The date and time of the user/client request.
• Full request - The exact request the user/client made.
• Status - The status code the server returned to the user/client.
• Content length - The content length, in bytes, of the document sent to the user/client.
• Method - The request method used.
• Universal Resource Identifier (URI) - The location of a resource on the server.
• Query string of the URI - Anything after the question mark in a URI.
• Protocol - The transport protocol and version used.

Log Usage

Pitt IT regularly uses analysis and reporting tools to evaluate web server logs to understand usage and effectiveness of our websites. These tools are used to evaluate aggregate usage and analyze trends. Pitt IT, by practice, does not engage in monitoring or tracking the activities of individuals. Pitt IT may use log information in any investigation of a potential violation of University policies and procedures or as required by federal, state or local law.