Raven, the University’s authentication service, enables account holders to authenticate themselves to a wide range of websites. The Raven service was initially developed for use with websites operated by the University of Cambridge and its members. More recently Raven has been extended to work with interoperability protocols such as SAML2 and OAuth. These enable account holders to easily authenticate to websites which use these, removing the need for individual users to separately register for individual accounts by making available a set of attributes about individual account holders which are derived from data held in central University administrative systems. Transfer of information is fundamental to the operation of Raven and its underlying protocols. In some cases attributes transmitted by Raven will include personal data within the meaning of the General Data Protection Regulation (GDPR). This policy outlines the circumstances under which such information will be released, in compliance with GDPR, and should be read in conjunction with the University’s IT Facilities and Services Privacy Notice.
The Policy
- Raven currently provides authentication services to the following:
- Websites and Services fully owned and operated by the University of Cambridge. These will normally use an address ending in cam.ac.uk e.g. www.admin.cam.ac.uk
- Websites and Services operated by third parties under contract to the University of Cambridge. Note that these may use an address ending in cam.ac.uk or may operate under their own brand name.
- Websites and Services operated by third parties which are not under contract to the University which offer you the option of authenticating with your institutional ID. These will not have an address ending in cam.ac.uk
- Websites and Services fully owned and operated by the University of Cambridge. These will normally use an address ending in cam.ac.uk e.g. www.admin.cam.ac.uk
- The first two groups are directly or contractually under University control and are classified as Internal Service Providers. Raven releases only those attributes which are necessary for the delivery for each services. Each site must be registered with the metadata registration application. Each service has been designed or commissioned by University staff with data protection considerations in mind. Such attributes will usually include your CRSid and your name to enable the creation and personalisation of your account on the host service and may include information indicating whether you are a member of University staff or a current student where this is necessary, for example to enable the University to comply with licencing conditions. You will not have an option to opt-out of such attribute releases.
-
In the case of third party websites not under contract to the University you should be aware that the University has not negotiated any contractual relationship with these service providers. Consequently, the information Raven makes available to them is more limited as no due diligence has been performed in relation to their data handling or their compliance with GDPR.
In this case Raven will normally release your identity (in the form of an 'eduPersonPrincipalName'), your status within the University ('member', 'staff', 'student', etc.) and an 'Anonymous Identifier' which is unique to you and the site you are visiting. Raven may release additional information, but only when doing so is necessary to enable the access to which you are entitled. The decision to proceed with authentication and the creation of accounts on such sites is made solely by the account holder. On first authentication you will be presented with an attribute release screen which identifies which attributes will be released and to which you must consent for authentication to proceed.
- A full list of attributes that may be transmitted by Raven along with their definition is maintained in the technical documentation.
University Library Resources
Access to electronic resources through the University library relies on being included or excluded from the membership of specific groups within the University’s Lookup directory. Group membership IDs are made available as Raven attributes. The relevant memberships and exclusions are:
- People entitled to access the general University Library electronic resource collection consist of anyone who is not a member of lookup group 100925, and who has a misStatus in lookup of 'staff' or 'student' or who is a member of lookup group 100981 (staff) or 100982 (students).
- University Library electronic resources that are restricted to staff can be accessed by anyone who is not members of lookup group 100925, and who has a misStatus in lookup of 'staff' or who is in lookup group 100981.
- University Library electronic resources that are 'medically restricted' can be accessed by anyone who is not members of lookup group 100925 and who is a member of lookup group 100927.
Anyone who experiences problems with access to University Library electronic resources should contact lib-raven@lists.cam.ac.uk
01223 332999