IAM IdP Attribute Release

The Harvard IAM Shibboleth identity provider (IdP) can be used by non-Harvard applications to authenticate users. Harvard applications are applications that are operated by a University IT group or are operated by a vendor that is contracted by Harvard to provide a service for the University. Any other applications are considered non-Harvard applications.

Personally identifiable information (PII) provided by the Shibboleth IdP is in the form of "attributes." InCommon defines the attributes that may be supported by Shibboleth IdPs here.

The Harvard Shibboleth IdP has been configured to allow any InCommon service provider (SP) to use the Harvard IdP for authentication, but, in such a case, the IdP is configured to release a unique ID for the user being authenticated. The unique ID used is the eduPersonPrincipalName (ePPN). Harvard's IdP uses what appears to be a long, random set of characters as the ePPN. This ePPN does not contain any information that could be used to identify the individual being authenticated.

Any InCommon SP that requires additional information other than the ePPN is manually configured, and is listed below, along with the additional information provided. You should not make use of a non-Harvard application if you are uncomfortable with the information about you that is released to that application.

InCommon Service Providers Requesting Additional Attributes

  • California Digital Library: Email address
  • HathiTrust: Affiliation
  • Harvard Computer Society: Name, email address
  • Interfolio: Name, email address