skip to content

IT Help and Support

University Information Services
 

This document sets out the policy observed by the managers of the University of Cambridge's institutional Shibboleth Identity Provider (IdP), as provided by Raven, in respect of release of attribute information. Transfer of attribute information is central to the operation of Shibboleth, however attribute values may represent 'personal data' under the terms of the Data Protection Act 1998 and processing and release of such data must abide by the provisions of the act. This policy ensures that the University does so.

See the Shibboleth attribute release summary for details of the currently implemented attribute rules.

This is version 6 of the policy approved by the UIS Deputy Director for Information Management on 19th October 2016.

1) All changes to this policy are approved by the Director of Information Services or his deputy.

2) Users are told about the IdP, and the fact that it may disclose information about them, the first time they use it to access a resource and at least annually thereafter. They are required to positively confirm that they accept the terms and conditions under which the IdP operates before proceeding and a record is made of this acceptance. On first access to a particular Shibboleth Service Provider (SP), users are made aware of the attributes that may be disclosed to it, along with their current values, and asked to approve this disclosure; this will be repeated at least annually and any time the list of attributes being disclosed to this SP changes.

3) The Shibboleth protocol requires that the SP have a copy of the University's Shibboleth metadata. This is available via HTTPS at https://shib.raven.cam.ac.uk/shibboleth for ad hoc use by SPs outside our set of known access federations.

4) The University institutional IdP provides three attributes to any SP that requests them. These are:

4.1) eduPersonScopedAffiliation with appropriate values (e.g. member@cam.ac.uk for members of the University, member@eresources.lib.cam.ac.uk for people entitled to access University Library-licenced electronic resources).

4.2) eduPersonTargetedID (an identifier allocated at random and distinct for each combination of user and SP, e.g. MlWd0XIR7juZvwvarOVdYiUWPW0=@cam.ac.uk).

4.3) eduPersonPrincipalName with the value <crsid>@cam.ac.uk (e.g. fjc55@cam.ac.uk).

5) Values for any other attributes (in particular eduPersonEntitlement, a 'catch-all' container for values specified by particular SPs, for example urn:mace:oclc.org:100159623 on behalf of anyone entitled to access the general University Library electronic resource collection, as required by OCLC FirstSerach), are released where there is a reasonable need, providing the corresponding user's identity can not be derived from these attributes or other information likely to be available to the SP. Where appropriate, SPs will only receive the particular extra attributes and values that they require.

6) Other attributes from or derived from the University Directory (Lookup), for example sn (e.g. Clark), displayName (e.g. Fred Clark), ou (e.g. Department of Important Studies), mail (e.g. fjc55@cam.ac.uk), University status (e.g. 'staff'), and groupID (e.g. 100123) may be released to SPs operated by the University, providing they have a privacy level of 'University' or 'World'.

7) Attributes from or derived from the University Directory (Lookup) may be released to SPs under contract to the University or Colleges solely for the purpose of the performance of that contract providing the contract provides an adequate levels of protection for the data concerned. The UIS will conduct due diligence prior to the authorisation of any such release under this clause. Service owners considering using this feature should contact UIS prior to entering into any contract for the provision of services that may depend on the release of such attributes. Each decision to allow or alter such a particular disclosure is approved by the Director of Information Services or his deputy before it is implemented and recorded in the schedule to this policy.

8) Other than as mentioned above, attributes and attribute values are only disclosed where there is a demonstrable need and where there are adequate levels of protection for the data concerned. Release of such information is only permitted where there is no alternative. Each decision to allow or alter such a particular disclosure is approved by the Director of University Information Services or his deputy before it is implemented and recorded in the schedule to this policy.

Schedule

Attribute and attribute value disclosure approved under section 7 above:

1) registered name ('cn', presented as initials and surname), and preferred email address ('mail') to Gartner. Inc (http://www.gartner.com).

2) registered name ('cn', presented as initials and surname), and preferred email address ('mail') to Room Booking Systems Ltd, 20-23 Woodside Place, Glasgow. SC366647.

3) CrsID ('uid'), registered name ('cn', presented as initials and surname), forename (when
available) and preferred email address ('mail') to Qualtrics LLC (https://www.qualtrics.com/).

4) registered name ('cn', presented as initials and surname), preferred email address ('mail') and University institution name ('ou') to Wellspring Worldwide, Inc. 350 N. LaSalle Street 12th Floor, Chicago, IL 60654 (http://www.wellspring.com/).

5) "dgyId" - Along with eduPerson Principal Name (eppn), we release "dgyId"
- the user's eppn converted to a format specifically for Digitary, Unit
3, Northwood House, Northwood Business Campus, Santry, Dublin 9, Ireland

Attribute and attribute value disclosure approved under section 8 above:

None

Phone padded  Service status line: (01223 7)67999
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin

A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >

Latest news

Your University GoogleDrive: 20GB quota limit from December 2022

19 January 2022

Google is replacing its G Suite for Education model licensing model in October 2022. As a result, there will be a new limit of 20GB on personal GoogleDrive spaces provided with G Suite@Cambridge accounts. If your GoogleDrive usage exceeds 20GB after 1 December 2022, your University account GoogleDrive will become read-only until your usage is brought below 20GB.

Moodle offline for upgrade during 06:00–12:00 on Tuesday 11 January

10 January 2022

Moodle will be unavailable from 06:00 to 12:00 on Tuesday 11 January while we upgrade it to version 3.9. During the upgrade, you won’t be able to view or upload sessions on Panopto because access is managed via your Moodle login. Assessment Moodle, ICE Moodle and Clinical School Moodle users will be unaffected. An outline...

HEAT authentication method changing to Azure on 13 January

7 January 2022

We're changing the authentication method for the IT service management system, HEAT, to Microsoft Azure on Thursday 13 January 2022. What is changing? You should continue to use the same URL for accessing HEAT: https://uniofcam.saasiteu.com. However, the 'Sign in' screen you'll be directed to will look slightly different,...