Skip to main content

Privacy policy Shibboleth Identity Provider

Studierende sitzen auf einem Enzo unter einem Baum

Privacy policy Shibboleth Identity Provider

The Shibbboleth Identity Provider (IdP)

  • idp.haw-landshut.de

is operated by the computer centre of Landshut University of Applied Sciences, Am Lurzenhof 1, 84036 Landshut. The personal data processed is subject to the applicable data protection regulations, in particular the Bavarian Data Protection Act (BayDSG) and the Telemedia Act (TMG).

Below we inform you about the type, scope and purpose of the collection and use of personal data. This information can be accessed at any time from our website.

Authentication via an identity provider (IdP)

When accessing a web service protected by Shibboleth, a redirect is made to the login page of the IdP of your home organisation (Landshut University of Applied Sciences). The user name and password are only used to test the validity against an authentication server (LDAP). The web service you want to visit will then only receive an authentication confirmation via the SAML protocol, never your password. By default, your identifier is not passed on, but only a permanently unique pseudonym (Targeted ID) for each web service, which the web service can use to assign the same profile to you when you visit again.

Shibboleth is also a single sign-on solution (SSO), i.e. as long as the session in your browser and on the IdP is valid, you do not have to authenticate yourself again when visiting other web services protected by Shibboleth. After successful authentication, the IdP saves a cookie with a key on your computer. The IdP only uses this key to realise your session and thus the SSO functionality. The cookie does not contain any other personal data.

Logging

The IdP temporarily stores the following information in log files for each authentication:

  • IP address of the requesting computer
  • Date and time of access
  • URL or identifier of the web service accessed
  • user name
  • Type (attribute name) of the additional data transmitted, but not its content

These log files are automatically deleted after 7 days at the latest. Exception: Access to the DFN certificate service SLCS (Short Lived Credential Service), for which we must permanently archive the access date, user ID, name and e-mail address for contractual reasons.

The log file entries are analysed in order to detect attacks on the identity provider and to be able to react accordingly. In addition, the log files may be consulted in individual cases if you contact our support team to find the cause of an error in the event of failed access to a web service.

The IP addresses and user IDs contained in the log entries are not merged by Service IT with other databases and are not analysed to create access profiles, user tracking or similar.

Transfer of personal data

The IdP only transmits personal data to the requesting web service with your explicit consent. After successful authentication, you will be shown a digital business card with all the data that the requesting web service would receive. You can also reject the transfer here.

In addition to a pseudonym, the requesting web service only receives the following from the IdP by default

  • Your affiliation to Landshut University of Applied Sciences (so-called affiliation: employee, teaching staff, student, alumnus, other member)
  • as well as any specially agreed character strings (so-called entitlements) for extended authorisations within the web service.

At the request of the web service operator, further personal data may be provided for transfer at the IdP. These are

  • First name and surname
  • email address
  • Date of birth
  • gender
  • Organisational unit within your institution (for employees and guests)
  • Programme information, faculty and matriculation number (for students)

This data is also displayed in the digital student card before it is passed on.

In addition, personal data will only be transferred to state institutions and authorities within the framework of mandatory national legislation or if the transfer is necessary for legal or criminal prosecution in the event of attacks on our IT infrastructure. Data will generally not be transferred to third parties for other purposes or published.

Your rights

You have a right to information about your personal data stored by us. You also have the right to have incorrect data corrected, blocked or deleted. If you wish to exercise these rights, please contact us in writing. Please note that your data is not stored in the IdP itself, but in the personal and user management system of Service IT.

Links and redirects

Some of the IdP websites contain links to websites of other organisations or companies, or redirect you to such websites. We have no influence on the design and content of these websites and cannot control how their providers handle your personal data.

Validity and up-to-dateness

By using or authenticating with an IdP, you consent to the use of your data as described above. This privacy policy is immediately valid and replaces all previous declarations.

Due to the further development of the authentication infrastructure, it may become necessary to revise this privacy policy. We reserve the right to amend the data protection declaration at any time with effect for the future and recommend that you read the current data protection declaration again from time to time.