One-Way Federation

One-Way Federation (OWF) is an enhancement to Harvard's authentication system. OWF allows users to choose a preferred login type when logging into Harvard-protected applications instead of forcing the use of a single credential.

Current options for OWF login types include the following:

  • HarvardKey
  • HUID (Harvard University ID)
  • eCommons (Harvard Medical School community)
  • XID (eXtended Identifier)

Not all Harvard-protected sites opt to offer all credential types as login options, but a sample login screen may look something like this to the end user:

HarvardKey login screen

OWF supports the University's goal of allowing users to work productively across Harvard systems and applications using a smaller number of IDs and passwords than what's historically been needed. Users can use an ID/password pair that may be more familiar to them, increasing both convenience and security.

Want to learn more about one-way federation in an in-use setting? Read this case study on how HMS used OWF to allow users to log in to Harvard-protected sites using their eCommons credentials.


Why aren't all ID types used across Harvard supported?
OWF is an interim step in a larger plan to allow a user to use their home institution's login and password for a large set of applications. While HUIT may increase the number of options available on the login screen, we are hard at work at a larger plan that will provide an even bigger benefit to users.

Is OWF implementation right for my School/unit/group's login type?
As noted above, IAM is currently implementing solutions that will make login easier for many members of the Harvard community. For example, if your School, unit or group will be joining Harvard's large-scale migration to a single Office 365 system, those user IDs and passwords will already be supported under OWF. There may also be other options for creating an easier login experience for your users without the need to implement OWF for your users' specific login type. Please contact

I want to implement OWF for my School/unit/group's login type. What should I do next?
Email to start the conversation. We'll be in touch to discuss timeframe, technical requirements and procedures, and any special requirements specific to your case.

I'm an application owner. I don't want to accept a credential that hasn't been directly entered by the user. How do I get my app out of OWF?
There is an exception process. Contact to discuss.

Source: Marlena Erdos