Extended Identifiers (XIDs) are credentials that help web-based applications uniquely tag users. The XID system allows users who do not have a Harvard ID to register for an ID number that can be used for authentication with University-secured applications. The XID authentication service is fully integrated with Harvard's authentication system. XID users are seamlessly authenticated as if they are HarvardKey holders. However, applications registered with Harvard's authentication system must specifically opt in to allow XID holders to be able to authenticate to their application. XIDs are obtained via a self-service application or provided to individuals by registered XID managers. Users can access the XID management site at https://xid.harvard.edu/xid-apps/.
Key points about the XID credential itself:
- Helps ID and authenticate users who do not have HUIDs
- It is never an 8-digit number
- Structurally, has the same features as HarvardKey
- A user may have multiple XIDs
- XID holders self register, so identity assurance is low
Applications can use three web-based services with XID:
- An XID generation and management service
- An XID authentication service (that Harvard's authentication system uses)
- An XID attribute lookup service (via LDAP)
Harvard Sites Using XID
- Countway Library's e-Resources
- Technology Services for IBM PC Procurement
- Software Licensing
Why create a second system of ID — aren't HUIDs good enough?
Web-based applications at Harvard University have typically been exposed only to users with a strong affiliation with Harvard. These users are eligible to get a Harvard University ID (HUID). However, as the number of Harvard services provided on the Web increases, service and application owners find themselves catering to a growing population of users who are not eligible to receive an HUID.
If you are an application owner, and your users now or may eventually include these populations, you may want to consider accepting XID as well as HUID/HarvardKey:
- Users ineligible to receive a HUID
- Users unwilling to supply, or unable to verify, a Date of Birth or Social Security Number (thus making them ineligible for a HUID)
Note that some user populations are granted a temporary HUID. If this does not satisfy the needs of your application, accepting XID may be a a good choice.
I have a HarvardKey. Can I also get an XID?
Yes. There are two primary reasons that HarvardKey holders may also want to get an XID:
- Relative anonymity (HUIDs are tied to a person, a process that includes identity-proofing; XIDs are tied to a digital identity, which also means that a user may have more than one XID.)
- XID accounts may be shared by a group of users
Are there different kinds of XIDs?
Not to an application. However, from a security standpoint, maybe: Some XIDs may belong to self-registered users, while others may be created by XID managers who verify users' information before creating the credential.
Who is a XID manager?
XID managers are capable of creating managed XIDs, editing the XIDs that they manage, transferring control of XIDs to other managers, and setting expiration dates on XIDs they control. However, they cannot create or set the password for an XID (although they can ask the system to reset it to a random value). Only XID administrators can create XID managers. If you would like to be an XID manager, please contact firstname.lastname@example.org.
How does an application differentiate between managed XIDs and self-service XIDs?
There is a different set of attributes based on the type of XID. For managed XIDs, the harvardEduIdOwner attribute in the people branch of LDAP will have a value different from the harvardEduId.
How do I know if an application is XID-enabled?
If an application you are trying to log in to supports XID, there will be an option for you to choose XID as a credential in the login window. On a HarvardKey login page, there will be a tab for HarvardKey and another for XID.
Does supporting XIDs make my application insecure?
No. Remember, simply enabling XID support for your application should not grant every XID holder access to the application. While authenticating a user is the Harvard authentication system's responsibility, authorizing access to your application is yours — for instance, you could simply authorize only the set of users whose IDs you have stored in your application, or you could use a more sophisticated mechanism for authorization. (For more on the difference between authentication and authorization, see our guide Getting Started with Authentication.)
Does the creation of XIDs make all applications using Harvard's authentication system inherently insecure?
No. Applications have the option of deciding whether or not they want to support XID at all — and those applications that do support XOD have the responsibility to further authorize the users that that Harvard's authentication system has authenticated for them.
As a XID holder, what are my responsibilities?
- Once you are issued an XID, activate it as soon as you have the opportunity.
- Keep your XID attributes up to date, especially your email address.
- Do not share your password with anyone.
- Do not share your challenge/response information with anyone.
- Reuse your existing XID rather than creating one for each application you access.
- Treat your XID, its password, and your challenge/response information as the keys to your digital identity.
As a XID manager, what are my responsibilities?
- Make sure users are aware that you can help them create or edit their XID profiles.
- Be approachable to users who may wish to come to you with XID-related questions.
- Verify a user's physical credentials (ID, email, etc.) before creating a managed XID.
- Verify a user's physical credentials (ID, email, etc.) before editing any XID.
- Be willing to transfer control of a user's XID to another manager if the user feels the other manager is better suited to help them.
- Set expiration dates on all XIDs that you control.
- Be available to reset XID passwords at users' request.
- Do not share your manager credentials with anyone unless you are acting as part of a group — and, if so, share only with bona fide group managers.
As the owner of an application that supports XIDs, what are my responsibilities?
- Be sure to authorize all authenticated users before letting them into your site.
- Make sure to clearly communicate the means of getting an XID to any non-HarvardKey users.
- If you would like to map IDs to real people, make sure you or someone you know is an XID manager, and you only let XID holders created or owned by this manager into your site.
- If list-based authorization is insufficient for your purposes, then create, populate, and maintain a profile database that can be used to authorize users.
Please note that some of the following files will require you to log in before downloading.