Privacy and cookie policy for the Raven web authentication server

Raven is a service used by some web sites to identify people from the University so that access decisions can be made based on user identity and related information. This policy describes the personal information processed by the central servers that form part of the Raven system, and explains how that information is used. Other components of the Raven system operate on individual web servers - you need to consult corresponding documentation from these other sites to find out what they do with Raven-derived information.

Any changes to this privacy policy will be posted on this page. It was last updated on 1 March 2013.

Processing of personal information by the Raven server falls into four categories: authentication responses to web sites, user database, cookies, and log files. These are discussed in the following sections.

Authentication responses to web sites

The Raven server's function is to identify individuals and to pass information about them to web sites that request it.

The identification information passed to web servers includes:

• An indication of the status of an authentication request (success, failure, cancelled, etc.) and possibly an explanatory message.
• For the Raven/Ucam-WebAuth service, the user's identity expressed as a Common Registration Scheme identifier (CRSid).
• For the Raven/Shibboleth service, information about the user as permitted by the Shibboleth Attribute Release Policy.
• The date and time the response message was created, and optionally an indication of when authentication should expire.
• How the user established their identity.

User database

Anyone with a Raven account has an entry in Raven's user database - the majority of people registered for any Computing Service system will have an account on Raven. For each user, the information stored by Raven includes:

• CRSid*
• Name and affiliations*
• A non-reversibly-encrypted copy of the password used to authenticate the user to Raven, and the date and time it was last changed
• Default login options and the date and time of their last change
• Date and time of account creation, and cancellation if cancelled, and of last successful login
• A flag indicating if the user is known to have agreed to the IT syndicate rules, and the time and location of such agreement if done via Raven.
• For the Raven/Shibboleth service:
  • The date and time of first and last access
  • The version number of the most recent Terms and Conditions accepted
  • The list of attributes approved for release to each web site, the date and time of approval, and the version number of the Terms and Conditions in force at the time

Fields marked *, and account creation and cancellation, are derived directly from the Computing Service's Jackdaw database. The information stored in the Raven database is used for Raven's operation and for account administration by members of Computing Service staff. Other that in the provision of authentication responses as mentioned above, the information is not otherwise disclosed by Raven.

Raven accounts are marked as cancelled when the corresponding user ceases to be entitled to a Raven account. Cancelled accounts are normally retained for about 200 days, after which the corresponding database records are deleted.

Cookies

The Raven service uses two discrete sets of servers which perform different, related authentication tasks. raven.cam.ac.uk serves the locally developed Ucam-WebAuth components whilst shib.raven.cam.ac.uk is used to serve components that follow the Shibboleth federation protocols. Websites may choose to use one or both of these different technical solutions depending on their specific authentication needs. Whilst the two underlying servers support subtly different technologies, both are combined within the Raven service to provide a consistent authentication experience to the end user.

Both Ucam-WebAuth and Shibboleth use a number of HTTP cookies. Precisely which cookies are set depends on how the two underlying systems are used. These cookies are set so that, if your browser is operating correctly, they will be returned only to the server that set them and only over secure HTTP connections. The cookies that may be set are:

Ucam-WebAuth Server (raven.cam.ac.uk)

The Ucam-WebAuth server may set three cookies. The first two listed here are essential for the operation of the Raven authentication service. The third is set only if you choose to supply a default CrsID to offer when logging-in.

• Ucam-WLS-Session: This cookie is used to implement Raven's single sign-on facility which enables you to move between many Raven protected sites without having to re-enter your login credentials for each site. It retains:
  • Your CRSid.
  • A record of your chosen Raven login options.
  • Your method of authentication.
  • The date and time of your most recent authentication.
  • The date and time of your session's scheduled expiry.
  • A cryptographic signature protecting the cookie value.
  This cookie is set when you first authenticate by Raven in your browsing session and is deleted when either your browsing session ends or you log out of Raven. This feature can be turned off by visiting the Raven settings page. If disabled this cookie is not set.
• Ucam-WebAuth-Session-S: This is used to separately control access to a small number of pages on the Raven server itself. It records:
  • Your CRSid.
  • The status of you most recent request to authenticate.
  • Your method of authentication.
  • The date and time of your most recent authentication.
  • The length in seconds of your current authentication session.
  • A unique value issued by the Raven server to identify the current authentication event.
  • A cryptographic signature protecting the cookie value.
  It is set when you access the protected pages and is deleted when your browsing session ends.
• Ucam-WLS-ID: Sets a default CrsID to offer when logging-in. Set only on request, from the Raven account management page. This is a persistent cookie stored in your browser that expires after 1 year.

Shibboleth Server (shib.raven.cam.ac.uk)

The Shibboleth server sets four cookies when it is invoked by a client web site. These are all essential for the provision of the service.

• Ucam-WebAuth-Session-S: This is used to manage your authentication to the Shibboleth server for onward transmission to client web sites using the Shibboleth federation protocols. It is set when you first authenticate to a site using Shibboleth in any browser session and will be deleted when your browser session ends. It contains:
  • Your CRSid.
  • The status of you most recent request to authenticate.
  • Your method of authentication.
  • The date and time of your most recent authentication.
  • The length in seconds of your current authentication session.
  • A unique value issued by the Shibboleth server to identify the current authentication event.
  • A cryptographic signature protecting the cookie value.
• JSESSIONID: This holds an alphanumeric value that uniquely identifies your current browsing session, this is used to further manage your authentication to the Shibboleth server for onward transmission to client web sites. It is set when you first authenticate to a site using Shibboleth in any browser session and will be deleted when your browser session ends.
• _idp_authn_lc_key: This cookie contains only information necessary to identify the current authentication process (which usually spans multiple requests/responses) and is deleted after the authentication process completes.
• _idp_session: This cookie contains information necessary for identifying the user's 'login' to the Shibboleth server. This cookie is created as "session" cookie and will be removed when the browser chooses to remove such cookies (often when the browser is closed).

If you would like to find out more about Cookies and Privacy see http://www.allaboutcookies.org/.

Log files

All accesses to the Raven server are logged for the purposes of system administration, bug tracking, production of usage statistics and to trace misuse. In the case of misuse relevant information may be passed to security teams at other sites as part of an investigation. Otherwise the information is not passed to any third part except as required by law, or as summary statistics that do not identify individuals. Raw logfiles are normally kept for no more than 6 months.

The exact information logged may vary from time to time but typically includes:

• Date and time
• The user's identity if it has been established
• Information provided by the origin computer, including hostname or address, type of network client in use, resource or service requested
• Information provided by the origin web server in authentication requests, including the protocol version in use, the URL to which response messages should be sent, an optional error explanation, acceptable types of authentication, an optional web server parameter string, the current date and time on the web server.
• A record of the steps taken during the processing of requests
• The information included in authentication responses as described above under authentication responses to web sites
• Information allowing Shibboleth 'anonymous identifiers', such as eduPersonTargetedID, to be associated with the authenticated user to which they relate
• The success or failure of requests

Access to personal data

For the purpose of the UK Data Protection Act 1998, the 'Data Controller' for the processing of data collected by this site is the University of Cambridge, and the point of contact for subject access requests is the University Data Protection Officer (The Old Schools, Trinity Lane, Cambridge CB2 1TN, Tel: +44 (0)1223 332320, Fax: +44 (0)1223 332332, Email: [email protected]).