MIT Libraries Attribute Release Policy for Single Sign On (SSO)
Purpose
This policy establishes which attributes MIT Libraries will release to third party information providers as part of a SAML-based SSO authentication cycle, referred to as SSO throughout this document. The policy aims to minimize the release of personally identifiable information (PII), and when it becomes necessary to release additional PII, it outlines the necessary steps to ensure the data is not misused and remains secure.
Background
The MIT Libraries is committed to protecting the privacy of MIT community members, and to the confidentiality of their information, when they use the services we provide. As a digital-first library, we license content and services from a variety of information services providers, referred to as Service Providers throughout this document.
Service Providers use various methods to authenticate users in order to ensure that only authorized users are able to access their content. One common authentication method utilizes SAML-based SSO. Some Service Providers’ implementations of this authentication method may require various pieces of information about individual users to be shared with the Service Provider as part of the authentication cycle. Often this is to provision individual user accounts to allow for personalization features such as email alerts or saved search history. SAML-based SSO raises privacy concerns because information about the user may be shared without the user’s knowledge or permission.
The MIT Libraries Patron Data Privacy Policy details how we handle the personally identifiable information (PII) of MIT students, faculty, staff, and other patrons of the MIT Libraries. PII is any piece of information that can be used by itself or linked with other information to identify an individual. We strive to maintain patron privacy without curtailing content and functionality offered by these Service Providers.
Scope
This policy applies to information shared with Service Providers through SSO implemented by MIT Libraries to provide MIT community members with access to licensed information sources on external vendor platforms to support research and learning.
This policy does not apply to:
- authentication arrangements made outside of the MIT Libraries (e.g., authentication arrangements managed by IS&T or individual departments),
- information (name, email, etc.) shared by MIT community members directly with a Service Provider (e.g., a platform that offers individual registration, after authentication, to enable additional functionality),
- any other authentication methods other than SSO (e.g,. domain authentication).
Policy
By default we will release any of the following attributes required by the SP:
- eduPersonScopedAffiliation – as of this writing, one of:
- staff@mit.edu (includes faculty)
- student@mit.edu
- affiliate@mit.edu
- Some form of opaque, persistent ID – typically SAML2 Pairwise Subject Identifier, but MIT IS&T may support other options for asserting an opaque ID.
The following additional attributes may also be released if required, provided the SP has agreed in writing to the MIT Libraries privacy agreement or other mutually agreed privacy terms or is a member of the InCommon Research and Scholarship Category.
- eduPersonPrincipalName (ePPN; same as email in MIT’s case)
- displayName (first + last name)
- givenName (first name)
- Sn (last name)
Service providers not in compliance
If the Libraries license an information resource that requires SSO authentication that does not meet the requirements of this policy, and thus requires sharing of PII for authentication beyond the limitations defined in this policy, the Libraries will use best effort to notify patrons of the sharing of PII through MIT Libraries’ web services (Search Our Collections, A – Z Databases List, product LibGuides). Service Providers who are not in compliance with this policy will be listed in an addendum to the Libraries Privacy Policy.
Definitions
- Attribute: information about an end user that is passed to a service provider after authentication (e.g. name, email address, etc.). Attributes are used to transfer information about the end user from the identity provider to the service provider in order to gain access to information.
- Authentication: The process of presenting credentials to a system that asks the question: “Who are you?”
- Authorization: The process of determining whether an authenticated user should have access to a particular resource. Authorization answers the question: “Now that we know who you are, should you be allowed to connect to the resource in question?”
- Identify Provider: a system entity that issues authentication assertions in conjunction with a single sign-on (SSO) profile of the Security Assertion Markup Language (SAML). (See full definition of identity provider.)
- Personally identifiable information (PII): any piece of information that can be used by itself or linked with other information to identify an individual. (See a more full description of what we mean by PII.)
- Security Assertion Markup Language (SAML): an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. (See full definition of SAML.)
- Single Sign On (SSO): An authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. (See full definition of SSO.)
- Service Provider: A system entity that receives and accepts authentication assertions in conjunction with a single sign-on (SSO) profile of the Security Assertion Markup Language. (See full definition of service provider.)
- Shibboleth: The authentication software that MIT has branded as Touchstone. Shibboleth consists of a central Identity Provider (IdP) which communicates with numerous Service Providers (SP) to provide secure, web-based, single-sign-on authentication services.
- Touchstone: MIT’s implementation of Shibboleth, a single-sign-on authentication system for web-based applications.