Privacy policy - Login for members of HFT Stuttgart

The Shibbboleth Identity Provider (IdP) shibboleth1.rz.hft-stuttgart.de is operated, hosted and maintained by the Information Center of the Stuttgart University of Applied Sciences (short: HFT), Schellingstr. 24, 70174 Stuttgart.

By using the IdP, personal data about you will be stored. Since the above-mentioned data is connected to your person, it is our duty to inform you that this data is collected and processed and what your rights are in this respect.
The basis for the processing of personal data is the General Data Protection Regulation (GDPR) of the EU, the German Federal Data Protection Act and the State Data Protection Act of the State of Baden-Württemberg.

This information can be accessed here at any time.

Authentication via Identity Provider (IdP)

The IdP is used for secure logon to web services, so-called Service Providers (SP). For this purpose the IdP is connected to the user directory of the HFT.

When accessing a web service protected by Shibboleth, a redirection to the login page of the HFT's IdP takes place. User name and password are used exclusively for testing their validity against an authentication server (AD).

By default, your ID is not passed on, but only a permanently unique pseudonym (Transient ID or Persistent ID) per Web Service, which the Web Service can use to assign the same profile to you when you return. If necessary, however, further information required for the use of the SP (so-called attributes) will be transferred to the SP concerned. This can be, for example, the name, the e-mail address or the group membership within the HFT (student, employee, ...).

Data stored on the IdP

During each authentication the IdP temporarily stores the following information in log files:

• IP address of the requesting computer
• date and time of access
• URL or identifier of the called web service
• username
• Type (attribute names) of the additionally transmitted data, but not their content
• access status (requested file transferred, not found etc.)
• identification data of the browser and operating system used (if transmitted by the requesting web browser)
• Web page from which the access was made (if transmitted by the requesting web browser)

The log file entries are evaluated to detect attacks on the IdP and to react accordingly. In addition, the log files can be used in individual cases if you contact the Service Desk to find the cause of the error in case of failed access to a Web service.

The IP addresses and user IDs contained in the log file entries are not merged with other data sets by HFT and are not evaluated for the creation of access profiles, user tracking or similar purposes. Log entries older than 7 days are deleted.

Cookies

Shibboleth is a Single-Sign-On solution (SSO), i.e. as long as the session is valid in your browser and at the IdP, you do not need to authenticate again when visiting other web services protected by Shibboleth. To realize this the IdP stores a cookie with a key on your computer after authentication. With this key the IdP only realizes your session and thus the SSO functionality. The cookie does not contain any further personal data.

Transmission of personal data

The IdP will transmit personal data to the requesting web service only after your explicit consent. For this purpose, after successful authentication you will be shown a list with all data that the requesting web service would receive. Here you can also reject the transfer.

In addition to a pseudonym, the IdP may also transfer other personal data. These are:

• your affiliation with the HFT (so-called affiliation: employee, teaching staff, student, alumnus, other member)
• first and last name
• mail address
• Organizational unit within the HFT (for employees and guests)
• as well as any specially agreed character strings (so-called Entitlements) for extended permissions within the web service.

Logout

Until now Shibboleth does not have a universal logout option (Single-Logout), because many SPs have not implemented this functionality yet. It may be that some applications offer 'Logout' buttons and you can log out from the application. But you will be logged in again automatically when you visit the application again within the same browser session.

Your session at the IdP will run automatically after a specified time (one hour).
If you use Shibboleth secured services from public terminals - for example Internet cafes - you should delete your private data (cookies) in your browser and thus your Shibboleth session key. Usually it is sufficient to close the browser for this purpose.

Your rights

You have a right to information about your personal data stored with us. In addition, you have the right to correct incorrect data as well as to block and delete data. If you would like to exercise these rights, please contact us in writing.

In the event of a violation of legal regulations for the protection of the data stored about you, you can contact the responsible supervisory authority:

State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
P.O. Box 10 29 32, 70025 Stuttgart
Phone: 0711/615541-0, Fax: 0711/615541-15
poststelle(at)lfdi.bwl.de

Please first contact the person responsible or the data protection officer at HFT. In most cases, this will help to clarify questions and resolve complaints:

Maximilian Musch
+49 (0)711 8926 2796
datenschutz(at)hft-stuttgart.de

Validity and topicality

By using or authenticating at an IdP you agree to the use of data as described above. This data protection declaration is immediately valid and replaces all previous declarations.

Development of the authentication infrastructure may make it necessary to revise this privacy policy. We reserve the right to change the privacy policy at any time with effect for the future and recommend that you reread the current privacy policy from time to time.

Last changed: March 2023