HarvardKey Services

Every HarvardKey-protected application will use both authentication and authorization. Attribute release is optional.

  • Authentication: Commonly called “logging in”, it’s the process of validating that someone accessing the service is who they say they are.
  • Authorization: Process confirming the credentials presented have an active affiliation that allows the user access to your application.
  • Attribute Release: Process passing specific data about the user to be consumed by the application.

Authentication

Authentication is the first step towards enabling users to access an application. When a user attempts to log in to an application, Harvard Identity Provider (IdP) redirects the user to the HarvardKey sign-in page and verifies their credentials in the form of a unique username and password. Authentication determines whether a user is who they claim to be when they attempt to log into an application.

Every application requires an authentication protocol to configure the authentication process. Guidance on choosing an authentication protocol can be found in the Selecting an Authentication Protocol knowledge article. 

Authorization

Authentication alone is not enough, particularly because when someone leaves the University their HarvardKey will continue to function. All applications must apply a group-based authorization filter to ensure only eligible users gain access.

  • Choose from Generic Authorization Filters or request an app-specific group.
  • Filters must match the risk level of your app’s data and usage.
  • Authorization exceptions require Security team approval.

Compliance insures individuals and the University are sufficiently protected from material harm. 

Attribute Release

HarvardKey can pass selected attributes to your application during login. All attribute requests are reviewed for necessity and privacy compliance.

  • Use the Available Attributes Table to choose from available data elements.
  • We strongly recommend using NetID as your unique identifier.
  • We only release Preferred Name unless there is a clear business need for Official Name.
  • Describe how attributes will be used and stored in your system.

Privacy of Harvard user information must be ensured by complying with data privacy guiding principles, directory listing policy, and FERPA requirements