Privacy Policy HfM

Shibboleth Usage

  1. The responsible party within the meaning of the applicable data protection laws is the University of Music FRANZ LISZT Weimar as the access provider.
  2. This privacy policy is available on the Bauhaus-Universität website at all times.
  3. According to the data protection provisions of §§ 14, 15 TMG, 95, 97 TKG, the access provider may collect, process and use personal data insofar as this is necessary for the purpose of establishing, implementing and processing the user relationship concerning the DFN-AAI and the offers of the affiliated service providers. This includes both inventory and usage data. Inventory data are, for example, the name, date of birth and address of the user. Usage data are features for identifying the user, information about the beginning and end as well as the scope of the respective usage and information about the services used by the user.
  4. In accordance with §§ 96, 97, 100 TKG, 15 TMG, traffic data will only be stored and processed for up to six months after the end of the respective connection, insofar as this is necessary for the purpose of establishing further connections, for the detection and elimination of faults and misuse or for the determination of charges and billing for the services of the DFN-AAI or the services of the service providers, as well as for the purposes justified by other statutory provisions. Otherwise, traffic data will be deleted immediately after termination of the connection.
  5. Inventory data and usage data are transmitted to investigative, law enforcement and supervisory authorities in accordance with the applicable legal provisions if and to the extent that this is necessary to avert threats to public safety and to prosecute criminal offences.
  6. Description of data processing in the DFN-AAI
    1. The German Research Network Authentication and Authorisation Infrastructure (DFN-AAI) serves the federation of higher education institutions and other educational institutions as well as private information providers. The participants of this federation are enabled, on the basis of a technical infrastructure, to make resources of the entire federation available to the users registered locally in their institutions in a controlled manner without the users having a user account at all institutions.
    2. The technical implementation is based on Shibboleth, a software developed by the Internet2 consortium that enables distributed authentication and authorisation for web applications and web services. The concept of Shibboleth provides, among other things, that a user only has to authenticate once per browser session at his or her home institution, e.g. the university where he or she is enrolled, in order to be able to access services or licensed content from different providers regardless of location (so-called federated single sign-on). Users can thus access the services and offerings of the participants in the federation from any institution, whereby these are available after one-time authentication and authorisation.
    3. In principle, a user's data is only maintained at his or her home institution; the services offered only require their own user administrations for the purpose of personalisation and for application-specific data.
    4. At the University of Music FRANZ LISZT Weimar (hereinafter referred to as the home institution) as the access provider, a Shibboleth Identity Provider is connected to the identity management of the home institution, which enables single sign-on. As the identity provider, the home institution provides the service providers connected to the infrastructure with data on authentication and authorisation attributes.
    5. The service providers are both public bodies and non-public bodies in Germany and abroad.
    6. When a user requests a resource accessible via the Federation, the Service Provider directs the user to a service (Discovery Service) where the user selects the Identity Provider of their home organisation and is subsequently directed back to the Service Provider to cache the information about the IdP belonging to the selected home organisation and use it for further requests. The SP responds with an authentication request addressed to the IdP.
    7. The identity provider at the home institution checks whether the user already has a Shibboleth session, i.e. is already authenticated. If this is not the case, authentication is initiated, e.g. the user is shown a form to enter the user password. If the user is authenticated, a SAML authentication and attribute assertion is issued for the service provider.
    8. The SP now checks whether the user has access based on the assertions and returns the originally requested resource accordingly.
  7. The personal attributes transferred within the framework of the DFN-AAI are:
    • mail: E-mail address of the user
    • givenname und sn: first and lastname,
    • eduPersonPrincipalName: an ID that identifies the user for transaction processes in the AAI, which may contain name components,
    • eduPersonAffiliation: a description of the main roles one can hold at the university. e.g. »student« for students, »staff« for staff, »faculty« for teaching staff
    Depending on the service provider, fewer or more attributes can be transmitted. Which attributes are to be transferred in a specific case is displayed to the user before the transfer, whereupon he can give his consent to the transfer or refuse it.
  8. The service providers use so-called cookies to collect, process and use usage data from the requesting users. The use of these cookies serves to make the offer user-friendly and user-related as well as effective and secure.
  9. Cookies are small text files that are sent by a web server to the browser of the requesting user and stored on the hard disk of the user's computer. This information is used to automatically recognise the user the next time he or she visits the service provider's websites and to facilitate navigation. Cookies make it possible, for example, to adapt a website to the interests of the user or to store the data requested for authentication when logging in in order to facilitate logging in.
  10. The websites of the service providers can also be used without cookies. For example, the use of cookies can be excluded by selecting the browser settings »do not allow cookies« by the user. However, the rejection of cookies can lead to functional restrictions of the service provider's offer.
  11. If you have further questions about the information on data protection and the processing of your personal data, you can contact the data protection officer at your university directly.
  12. If you use external links that are offered as part of the DFN-AAI service, this data protection declaration does not extend to these links. The service providers and access providers have no influence on compliance with data protection and security regulations by other providers. You should therefore also inform yourself on the Internet pages of the other providers about the data protection declarations provided there.

This translation is for transparency purposes. The original German-language version of the webpage is binding.