HarvardKey releases attributes to integrated applications in the authentication assertion. The selection of a unique identifier to store in a service’s local environment is one of the most important decisions to make for successfully maintaining any application for future use. This article provides information on the available identifiers to assist application owners with identifier selection.
Characteristics of Unique Identifiers
-
Uniqueness
-
Persistence
-
Reassignment
-
Privacy preservation using opaqueness
-
Readability or lucency
-
Linkability
-
Unlinkability
-
Scope of uniqueness
Identifiers | Uniqueness | Persistence | Reassignment | Privacy preservation | Readability | Linkability |
HUID | Y | Y | N | Y | N | Y |
NetID1,2 | Y | Y | N | N | Y | Y |
ePPN | Y | Y | N | Y | N | Y |
UUID | Y | Y | N | Y | N | N |
2Applications with external users (users who do not have a HUID) are required to use NetID as their unique identifier. External users will be stored in a different registry completely isolated from HarvardKey registry. However, users in both domains need to share the same identifier namespace. Outside IAM domains, common identifiers from both domains will behave exactly the same.
Identifier General Information
HUID
-
8-digit identifier
- E.g. “123456578”
- In isolation does not reveal personal information, but historically considered a sensitive identifier and is confidential information under Federal Education Rights and Privacy Act (FERPA).
- The only common identifier that can reliably link persons in user stores across the University IT systems
- Only unique in the Harvard IAM domain
NETID
-
Alphanumeric (3 letters + 3-4 numbers for HarvardKey users, 2 letters + 4 numbers for users without an HUID)
-
E.g. “mgj357”
-
-
IAM-recommended identifier for all applications; required for external users (users without an HUID) as the only available identifier
-
Only unique in the Harvard IAM domain
EPPN
-
Random identifier 16 characters in length
- E.g. “293bca06837f54bv”
- Globally unique since it is scoped within Harvard domain
UUID
-
Random 32-character identifier
- E.g. “9c795d208b24459688bb1bfc1cd84f6a”
- Globally unique since it is scoped within Harvard domain
Why email is NOT an appropriate unique identifier
IAM strongly advises against using email address as a unique identifier. Several qualities make email inappropriate for use:
- Email address is mutable (the internal state of the object can be changed after it is created)
- Email address may be reassigned (i.e. in the event of a name change)
- Email address is not always assigned by the institution (e.g. gmail or peer institution email like mit.edu)
- Email is not a guaranteed unique identifier (siblings/parents)
- Email address may not be validated
- Harvard users have multiple valid Harvard domain email addresses with different assignment lifecycle, making it even more challenging choice as an identifier
Best Practices for Identifier Use
In accordance with the HarvardKey Application Integration Policy, identifiers obtained through authentication may only be used for purposes of authorization, account provisioning, and facilitation of the end user’s session and should be deleted or anonymized when they are not needed for service access. If applications using the SAML protocol elect to receive the “identifier bundle” on the Registration form, any unnecessary identifiers should be destroyed in this manner.