Extended Identifiers (XIDs) are eight-character identifiers that help web-based applications uniquely tag users. The XID system allows users who do not hold Harvard IDs to register for ID numbers that can be used for authentication with University-secured applications. The XID authentication service is fully integrated with Harvard's authentication system, meaning that users are seamlessly authenticated as if they are HarvardKey holders. However, systems registered with Harvard's authentication system must specifically opt in to allow XID holders to be able to authenticate to their local system. XIDs can be obtained via a self-service application or provided to individuals by registered XID managers. Users can access the XID management site at xid.harvard.edu.
Key points about the XID credential itself:
- Helps ID and authenticate users without HUIDs
- It is never an 8-digit number
- Structurally, has the same features as HUIDs
- A user may have multiple XIDs
Applications can use three web-based services with XID:
- An XID generation and management service
- An XID authentication service (that Harvard's authentication system uses)
- An XID attribute lookup service (via LDAP)
Harvard Sites Using XID
- Poll Tool
- Video Tool
- Discussion Tool
- Countway Library's e-Resources
- Technology Services for IBM PC Procurement
- Software Licensing
Why create a second system of ID — aren't HUIDs good enough?
Web-based applications at Harvard University have typically been exposed only to users with a strong affiliation with Harvard. These users are eligible to get a Harvard University ID (HUID). However, as the number of Harvard services provided on the Web increases, service and application owners find themselves catering to a growing population of users who are not eligible to receive an HUID — hence establishing the XID credential.
If you are an application owner, and your users now or may eventually include these populations, you may want to consider accepting XID as well as HUID/HarvardKey:
- Users ineligible to receive a HUID
- Users unwilling to supply, or unable to verify, a date of birth or Social Security number (thus making them ineligible for a HUID as well)
Note that some user populations are granted a temporary HUID. If this does not satisfy the needs of your application, accepting XID may be a a good choice.
I have a HarvardKey. Can I also get an XID?
Yes. There are two primary reasons that HarvardKey holders may also want to get an XID:
- Relative anonymity (HUIDs are tied to a person, a process that includes identity-proofing; XIDs are tied to a digital identity, which also means that a user may have more than one XID.)
- XID accounts may be shared by a group of users
Are there different kinds of XIDs?
Not to an application. However, from a security standpoint, maybe: Some XIDs may belong to self-registered users, while others may be created by XID managers who verify users' information before creating the credential.
Who is a XID manager?
XID managers are capable of creating managed XIDs, editing the XIDs that they manage, transferring control of XIDs to other managers, and setting expiration dates on XIDs they control. However, they cannot create or set the password for an XID (although they can ask the system to reset it to a random value). Only XID administrators can create XID managers. If you would like to be an XID manager, please contact email@example.com.
How does an application differentiate between managed XIDs and self-service XIDs?
For managed XIDs, the harvardEduIdOwner attribute in the people branch of LDAP will have a value different from the harvardEduId.
How do I know if an application is XID-enabled?
If an application you're trying to log in to supports XID, there will be an option for you to choose XID as a credential in the login window.
Does supporting XIDs make my application insecure?
No. Remember, simply enabling XID support for your application should not grant every XID holder access to the application. While authenticating a user is the Harvard authentication system's responsibility, authorizing access to your application is yours — for instance, you could simply authorize a set of users whose IDs you have stored in your application, or you could use a more sophisticated mechanism to do this. (For more on the difference between authentication and authorization, see our guide Getting Started with Authentication.)
Does the creation of XIDs make all applications using Harvard's authentication system inherently insecure?
No. Applications have the option of deciding whether or not they want to support XID at all — and those applications that do have the responsibility to further authorize the users that that Harvard's authentication system has authenticated for them.
As a XID holder, what are my responsibilities?
- Once you are issued an XID, activate it as soon as you have the opportunity.
- Keep your XID attributes up to date, especially your email address.
- Do not share your password with anyone.
- Do not share your challenge/response information with anyone.
- Reuse your XID rather than creating one for each application.
- Treat your XID, its password, and your challenge/response information as the keys to your digital identity.
As a XID manager, what are my responsibilities?
- Make sure users are aware that you can help them create or edit their XID profiles.
- Be approachable to users who may wish to come to you with XID-related questions.
- Verify a user's physical credentials (ID, email, etc.) before creating a managed XID for him/her.
- Verify a user's physical credentials (ID, email, etc.) before editing his or her XID.
- Be willing to control of a user's XID to another manager if the user feels the other manager is better suited to help him or her.
- Set expiration dates on XIDs that you control.
- Be available to reset XID passwords at users' request.
- Do not share your manager credentials with anyone unless you are acting as part of a group — and, if so, share only with bona fide group managers.
As the owner of an application that supports XIDs, what are my responsibilities?
- Be sure to authorize all authenticated users before letting them into your site.
- Make sure non-HarvardKey users have a clearly communicated means of getting an XID.
- If you would like to map IDs to real people, make sure you or someone you know is an XID manager, and you only let XID holders created or owned by this manager into your site.
- If list-based authorization is insufficient for your purposes, create, populate, and maintain a profile database that can be used to authorize users.