Central login service uses cookies and browser's local storage (cookies for short) to store login status and presonal settings. Service requires consent to send data to service provides, user's behavior is also stored on the server.
The display language you select is then stored in cookies and shared with all visited servers in the uniba.sk domain (including sub-domains).
Certain data can be sent to service provider without the user's consent. All service providers receive an pseudonymized user identifier, which is unique for every user and every service provider so it can not be used to track user on different service providers. Also, only data necessary for use of given service which the service provider already has access to are sent without the user's consent (i.e. users university e-mail address is send to university e-mail services provider).
Other user's data are sent only after the user provides consent. After authentication and before the data are sent, the user is presented with approval dialogue accompanied with information on consent validity period. This information is stored in cookies. Maximum validity period of stored consents is approximately one year. If another browser or device is used, a new consent is requested. It is possible, in the case that amount of consents reaches cookie size limit, that the consent will be requested before previous validity preiod expires, even on every login.
Actual login status for each service provider used in the current user's session is stored in a cookie. This information is used to logout from individual services or in case of central logout. Not every service provider is supporting central logout so the best way to ensure correct behavior is to close all browser's windows after logout.
All data for every user's login are stored on central login service servers. These logs are not used nor shared with any other service of this university nor any third party. These logs are not used for any PR or marketing purpose. Logs can be used to obtain statistical data on service usage, such anonymized statistics can be used for scientific purposes, or to improve our service or for other purposes including pulication.
These records are intended to be used by service managers in the event of service failure and in dealing with functional or security incidents, either incidents of the central subscription service itself or incidents involving service providers. Records can also be used to investigate behavior of a user who is in violation of applicable law (eg Copyright Act) or the Comenius University Regulations, or who is damaging the reputation of the University. In such cases, records may be used in disciplinary proceedings or in court proceedings. The records are available to law enforcement agencies to the extent determined by the SR legislation.
Comenius University's Single Sign On (SSO) system allows users to securely access websites of involved service providers (SP). Services can be operated either by the University or by third party providers. For this purpose Comenius University employs multiple technologies. This page is dedicated to SAML2 authentication (shibboleth).
SAML2 (Simple Assertion Markup Language) is a mean by which the user information can be shared anong various services. In our use-case it is the user's browser that is responsible for actual information transfer.
How exactly does it work? A user visits service provider's website and starts the login process. If necessary the service provider allows the user to choose a home organization to verify his/her identity. Occasionally the home organization may be determined by user's login name or for every home organization there might be a different service URL. Otherwise the user is presented with list of home organizations to choose from. As soon as the home organization is determined, the user's browser is redirected to the organization's identity provider server automatically submitting form with relevant service provider's information. The identity provider server verifies the user's identity and redirects his/her browser back to the service provider website automatically submitting a form with user's data relevant to this service. All data exchanged between identity provider and service provider are digitally signed with keys the other side can verify.
There are obvious advantages to this procedure, the user authenticates always in his/her home organization in a familiar way and does not need to repeatedly submit information to each service provider. The specifics of data released to the given service provider is strongly dependent on the service used. At minimum a targeted identifier is released so the user can obtain a tailored service although the real user's identity is unknown to the service provider. In other cases real name or login, even e-mail address or user's affiliation (student/employee/visitor) can be provided. The amount of released data is subject to agreement between service provider and user's home organization, in any case the user is informed on released data and has an opportunity to deny the release.
The logging out concept in SSO scenario is not entirely straightforward. It even does not make any sense in case of desktop integration when the user is automatically signed and whole process is so trasparent that there isn't any loged-out state. In other cases it makes sense to differentiate a service logout and the global SSO logout.
In case of a logout from the given service the user stays signed on the other services visited during current session. Even on next attempt to access this service the user will be logged in transparently.
In case of the global SSO logout the user stays logged to all services visited during the current session. For this reason the identity provider server stores information about visited services to the user's browser local store. After service logout the user is provided with a list of all visited services (the user could logged out of some of them withou the identity provider server notices) with a central logout option. Unfortunately not all services are configured to allow central logout. The safest way is to manually logout from all remaining services and close all browser's windows.