Shibboleth is a procedure for distributed authentication and authorization for web applications, which makes it possible to use different applications with a single login - both within the University of Passau and at other universities and institutions that participate within the same network.
Examples of Shibboleth-secured web applications are protected offers from publishers, access to e-learning systems and registration with the Virtual University of Bavaria (VHB).
When using a Shibboleth-secured web application (service provider), it fowards you to the localization service. There you choose which institution you belong to (University of Passau). You will therefore be forwarded to the identity depot (identity provider) of the University of Passau, where you can log in with your User ID and your password. After a successful login and an authorisation check, you will be automatically returned to the web application which you can then use. Your password will never be transferred to the web application. Your password is checked exclusively on the PCs of the University of Passau.
If you have activated the option 'stay signed on', you don’t have to log in again to use further applications within the group (Single Sign On).
This functions within the same group of web applications and identity depots. A group like this is also known as a federation. The federation to which the University of Passau belongs is the DFN-AAI Federation of the German Research Network. AAI stands for authentication, authorisation and infrastructure. All members of the federation have contractually agreed to keep certain rules.
- Affiliation (cross-institutional): firstname.lastname@example.org
This identifies you as a member of the University of Passau to the application.
This authorisation is necessary above all to use the library services and publishing offers limited to members of the university.
Further attributes and values are released if required by the application (e.g. the matriculation number for registration with the vhb, the Virtuelle Hochschule Bayern). There are different categories of affiliation, and several can also apply at the same time:
- email@example.com = students and employees of the University of Passau
- firstname.lastname@example.org = students of the University of Passau
- email@example.com = employees of the University of Passau
- firstname.lastname@example.org = teaching staff of the University of Passau
- email@example.com = non-teaching staff of the University of Passau
- firstname.lastname@example.org = guests and other persons of the University of Passau
Data protection and security
The transfer of data to other organisations is subject to data protection when personal data is involved.
The Shibboleth method makes it possible to handle personal data particularly economically, as only data that are really necessary are transmitted, and these data are displayed to the user before transmission. All service providers in the Federation of the German Research Network are contractually obliged to keep the respective data protection regulations.
The transfer of your data to the Shibboleth-secured web application takes place immediately when you log in. The first time you log in to a web application or if you activate the checkbox 'show data to be transferred', you will receive an overview of all personal information transferred before the transfer takes place. If you do not agree with the transfer of the data shown to the service provider, you can decide/should decide not to use the corresponding service.
When you log in successfully with the activated option 'stay signed in' a browser cookie will be saved locally on your PC. You then have access to all web applications connected to the Shibboleth system for as long as you keep your browser open. To sign out of all applications, you therefore have to completely end your browser. You should pay special attention if also other persons use the PC used for the Shibboleth login.