Understanding Harvard's Authentication System

HarvardKey, Harvard's authentication system, is an authentication service for online applications affiliated with the University. This service gives users a single login name and password pair that can be used with many different applications, sparing users the need to remember multiple passwords and relieving system administrators of the need to maintain them.

The system provides an authentication service only, not an authorization service — that is, it tells you who the user is, but not whether the user should have access to your application. Very notably, Harvard's authentication system cannot tell you whether a given user has a current affiliation with the University.

You should review this reference site to understand how Harvard's authentication system can be implemented with your application or website. If you have any questions not addressed on this site, please contact ithelp@harvard.edu.

Registering an Application

Developers of online applications who wish to use HarvardKey for authenticating their users must register their applications. Application forms are available here for both CAS and Shibboleth/SAML protocols.

Registration provides a measure of security by protecting users from unknowingly providing information to "rogue" applications. Application administrators provide an application's URL, and authenticated users are redirected to it. Without this information, authentication tokens cannot be generated.

Considerations After Authentication

Once a successful authentication has been asserted, your application is responsible for the following:

  • Determining what privileges, if any, the user has within the application. If a user is not authorized to access the application, you must have a local landing page advising the user and who to contact to resolve the issue. It is unacceptable to direct the user to any HarvardKey page, such as login or logout, as this often leads to calls to the Help Desk for what is perceived as an authentication issue. 
  • Maintaining session state, e.g. through cookies or randomly generated session keys stored in hidden form fields.
  • Protecting sensitive information from third-party interception using SSL encryption.
  • Expiring page content immediately so that sensitive information is not cached.
  • Ending users' sessions securely.

We also recommend that you provide a link within your application that will allow users to log out of HarvardKey. The logout page is responsible for ending a user's automatic login session — in effect, logging a user out of the entire system. Some applications automatically redirect a user to the logout page when the user logs out of the application. Other applications provide separate links for logging out of the application and logging out of HarvardKey.

Frequently Asked Questions

Q: Do you have resources who can implement authentication for us?
A: Unfortunately, at this time we do not have resources available to implement Harvard authentication within your local environment. 

Q: What is the logout URL?
A: The logout URL is https://key.harvard.edu/logout.