You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

By connecting your service to SURFconext, SURFconext will take care of authenticating your users. After the user has successfully authenticated at his institution, SURFconext delivers a message to your service which states that the user is successfully authenticated. So what's next?

Attributes and privacy

Besides knowing that a user is successfully authenticated, your service might need to know who the user is or whether it is a student or employee. The Identity Providers connected to SURFconext can provide your service with this information, in the form of attributes.

SURFconext, in line with the forthcoming European General Data Protection Regulation (GDPR), assumes a minimum disclosure principle. In short, this means a service should only maintain (personal) information that is strictly necessary for providing the service.

In practice, this means you are only allowed to receive those user attributes that you need for providing the service. For instance, if your service allows users to share files with each other and sends out notifications to users when a new file is shared, you could receive the user's email address attribute. However, if you only use the user's email address for marketing purposes, you might not receive email address as an attribute.

Identifiers

...

 

 

Het onderscheiden van de ene gebruiker van de andere.

Verschillende mogelijkheden, van privacy vriendelijk tot onvriendelijk

 

Identifiers (zie andere pagina)

 

andere attributen

 

overig: schacHome

 

 

When your service has been connected to SURFconext, identification of users will happen through attributes (instead of username + password). Personal data of the user is always transferred, independently of what attributes are used. There is a difference in the sensitivity of the personal data that is exchanged per attribute. We encourage Service Providers to ask for a minimal set of attributes, and use privacy-friendly attributes, especially when it comes to user identifiers.

User identifiers are attributes that are able to uniquely identify a user, for example: NameID, Employee/Student-number, UID, PrincipalName and Email.

In order to help you in choosing the best attributes considering both usability and privacy, please ask yourself the following questions:

  • Is it necessary to know the name of the user?
  • Is it necessary to know if a user is a returning user?
  • Is it necessary to know the user’s contact information?
  • Is other information, apart from the SURFconext attributes, processed in the application?
  • No labels