#  HarvardKey Services 

 



Every HarvardKey-protected application will use both authentication and authorization. Attribute release is optional.

- **Authentication**: Commonly called “logging in”, it’s the process of validating that someone accessing the service is who they say they are.
- **Authorization**: Process confirming the credentials presented have an active affiliation that allows the user access to your application.
- **Attribute Release:** Process passing specific data about the user to be consumed by the application.

#### Authentication

Authentication is the first step towards enabling users to access an application. When a user attempts to log in to an application, Harvard Identity Provider (IdP) redirects the user to the HarvardKey sign-in page and verifies their credentials in the form of a unique username and password. Authentication determines whether a user is who they claim to be when they attempt to log into an application.

Every application requires an authentication protocol to configure the authentication process. Guidance on choosing an authentication protocol can be found in the [Selecting an Authentication Protocol ](https://prod-iam.drupalsites.harvard.edu/selecting-harvardkey-authentication-protocol)knowledge article.

#### Authorization

Authentication alone is not enough, particularly because when someone leaves the University their HarvardKey will continue to function. All applications must apply a group-based **authorization filter** to ensure only eligible users gain access.

- Choose from [Generic Authorization Filters](https://prod-iam.drupalsites.harvard.edu/harvardkey-generic-authorization-filters-0) or request an app-specific group.
- Filters must match the [risk level](https://privsec.harvard.edu/) of your app’s data and usage.
- Authorization exceptions require Security team approval.

Compliance insures individuals and the University are sufficiently protected from material harm.

#### Attribute Release

HarvardKey can pass selected attributes to your application during login. All attribute requests are reviewed for necessity and privacy compliance.

- Use the [Available Attributes Table](https://docs.google.com/spreadsheets/d/1Fbv8HldQ0a9VGwEyMZevyAuqNtpv0qCJ0-iwzCOXC0c) to choose from available data elements.
- We strongly recommend using NetID as your unique identifier.
- We only release Preferred Name unless there is a clear business need for Official Name.
- Describe how attributes will be used and stored in your system.

Privacy of Harvard user information must be ensured by complying with [data privacy guiding principles](https://www.huit.harvard.edu/privacy), [directory listing policy](https://prod-iam.drupalsites.harvard.edu/resource/listing-policy), and [FERPA requirements](http://provost.harvard.edu/files/provost/files/ferpa_overview.pdf).



 

###  Reference Materials 

Please review the following information about application integrations.

- **Overview**
    - [Application Authorization using HarvardKey and IAM Group Services](https://harvard.service-now.com/ithelp?id=kb_article&sys_id=3811d84ddb4597cc83a2f3f7bf9619e5)
- **Policy**
    - [Roles and Responsibilities of Application Teams vs. IAM in the Integration Process](https://prod-iam.drupalsites.harvard.edu/roles-and-responsibilities-application-teams-vs-iam-integration-process)
- **Guides**
    - [Selecting an Authentication Protocol](https://prod-iam.drupalsites.harvard.edu/selecting-harvardkey-authentication-protocol)
    - [Attributes Available for Applications using HarvardKey Authentication Services](https://prod-iam.drupalsites.harvard.edu/attributes-available-applications-using-harvardkey-authentication-services)
    - [Request Approval to Allow Alumni Access to your HarvardKey-protected Application](https://harvard.service-now.com/ithelp?id=kb_article&sys_id=12dd722c1bba49d0485411b6bc4bcb5a)
    - [HarvardKey Generic Authorization Filters](https://prod-iam.drupalsites.harvard.edu/harvardkey-generic-authorization-filters-0)
    - [HarvardKey Integration Services- Authentication Session Timeouts](https://prod-iam.drupalsites.harvard.edu/harvardkey-integration-services-session-timeouts)
    - [Request a New Environment for an Existing Application](https://harvard.service-now.com/ithelp?id=kb_article&sys_id=476957dc47374d50566cf147536d436c)
    - [SAML Signing and Encryption Certificates](https://prod-iam.drupalsites.harvard.edu/saml-signing-and-encryption-certificates)

If you have any questions after reviewing these materials, the IAM team will work with you to get them resolved.