Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
141 changes: 141 additions & 0 deletions components/ILIAS/Authentication/PRIVACY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
# Authentication Privacy

> **Disclaimer: This documentation does not guarantee completeness or accuracy. Please report any missing or incorrect information via [Pull Request](docs/development/contributing.md#pull-request-to-the-repositories).**


## General Information

The Authentication component manages user login, session handling, and authentication mode
configuration in ILIAS. It supports multiple authentication backends (local database, LDAP,
Shibboleth, SAML, OpenID Connect, SOAP, Apache, and plugins) and coordinates their sequence.

The component stores active session data in the database and, when the session statistics feature
is enabled (which it is by default), additionally collects aggregated session statistics. The
**IP address** of each user may be stored alongside session records if the `save_ip` setting is
enabled in the ILIAS client configuration (`client.ini.php`). This conditional storage is an
important privacy consideration.

Authentication also enforces security policies that affect personal data: failed login attempts
are counted per user account, and accounts can be automatically deactivated after exceeding a
configurable maximum number of attempts.

## Integrated Components

- The Authentication component employs the following components, please consult the respective
PRIVACY.md files:
- [AccessControl](https://github.com/ILIAS-eLearning/ILIAS/blob/trunk/components/ILIAS/AccessControl/PRIVACY.md) – manages permissions for authentication
administration settings and determines session types for users with system administration
access.
- User – the Authentication component reads and updates user account data during login
(last login date, login attempts, active status) and resolves user names for session
statistics export.
- [COPage](https://github.com/ILIAS-eLearning/ILIAS/blob/trunk/components/ILIAS/COPage/PRIVACY.md) – the login page and logout page editors use the COPage
service for editable content pages.
- [AuthShibboleth](https://github.com/ILIAS-eLearning/ILIAS/blob/trunk/components/ILIAS/AuthShibboleth/PRIVACY.md) – Shibboleth authentication is configured
and managed through the Authentication administration interface.
- LDAP – LDAP server settings and authentication are integrated into the Authentication
administration and login flow.
- SAML – SAML Identity Provider settings are managed through the Authentication
administration interface.
- OpenIdConnect – OpenID Connect authentication settings are managed through the
Authentication administration interface.
- Cron – the Authentication component provides a cron job
(`auth_destroy_expired_sessions`) to periodically destroy expired sessions and aggregate
session statistics.
- Logging – the Authentication component logs authentication events (login, logout,
failed attempts) via the ILIAS logging service.

## Data being stored

- **User ID**: When a session is created or updated, the **user ID** of the authenticated user
is stored in the `usr_session` table. This links the session to a specific user account.
- **Session ID**: A unique **session identifier** is generated for each session and stored in
the `usr_session` table. The session ID is also set as a browser cookie.
- **Session creation time**: The **timestamp** when the session was first created is stored in
the `createtime` column of the `usr_session` table.
- **Session last activity time**: The **timestamp** of the most recent request within the
session is stored in the `ctime` column of the `usr_session` table. This is used to determine
session expiration.
- **Session expiration time**: The calculated **expiration timestamp** is stored in the
`expires` column of the `usr_session` table.
- **Session type**: A numeric **session type** (system, admin, user, or anonymous) is stored
in the `type` column of the `usr_session` table. The type is determined based on the user's
permissions.
- **Session context**: The **context type** (e.g., web, WAC) is stored in the `context` column
of the `usr_session` table when a new session record is inserted.
- **IP address** (conditional): If the `save_ip` setting is enabled in the ILIAS client
configuration, the user's **IP address** (`REMOTE_ADDR`) is stored in the `remote_addr`
column of the `usr_session` table. This setting is disabled by default.
- **Session data**: Serialized **PHP session data** is stored in the `data` column of the
`usr_session` table. This may contain transient application state.
- **Session-based immediate storage**: Key-value pairs are stored in the `usr_sess_istorage`
table, linked to the **session ID** and a **component ID**. This is used for AJAX-safe
session storage across components.
- **Raw session statistics**: When session statistics are enabled (default: on), the
`usr_session_stats_raw` table stores the **session ID**, **user ID**, **session type**,
**start time**, **end time**, and **end context** (reason for session closure) for each
controlled session. This data is used to calculate aggregated session load statistics.
- **Aggregated session statistics**: The `usr_session_stats` table stores aggregated,
anonymized statistics per 15-minute time slot: minimum, maximum, and average active session
counts, as well as counts of sessions opened and closed (by manual logout, expiration, or
other reasons). This data does not contain personal data.
- **External authentication attribute mappings**: The `auth_ext_attr_mapping` table stores
mappings between external authentication source attributes and ILIAS user attributes. These
mappings are configuration data and do not contain personal data per se, but they define
which external user attributes are imported into ILIAS.

## Data being presented

- **Each user** is not directly shown session data by this component. Session-based data is
transient and serves the running application. Users interact with the session indirectly via
the **session reminder**, which displays a notification when the session is about to expire.
The session reminder lead time is configurable per user via a user preference
(`session_reminder_lead_time`).
- **Persons with the "Read" permission** on the Authentication Administration can:
- view the configured authentication modes, the number of users per authentication mode,
and the current default authentication mode.
- view SOAP authentication settings, Apache authentication settings, and authentication
mode determination settings.
- view session statistics (current system load, short-term, long-term, and periodic
statistics) as charts showing aggregate active session counts over time.
- **Persons with the "Write" permission** on the Authentication Administration can:
- modify authentication settings, authentication mode sequences, and role-to-authentication
mode mappings.
- configure login page and logout page editor content.
- configure logout behaviour settings.
- trigger manual synchronization of session statistics.
- export session statistics as CSV files. The CSV export includes the **full name** of the
person who initiates the export (as "report owner") but does not contain individual user
session data -- only aggregated session counts.

## Data being deleted

- **When a user logs out**: The session record for that user is deleted from the `usr_session`
table. The corresponding records in `usr_sess_istorage` are also deleted. A closing entry is
written to the `usr_session_stats_raw` table (end time and end context) before the session
record is removed.
- **When a session expires**: Expired sessions are destroyed either by a random cleanup
triggered during regular page requests (with a 1-in-50 probability) or by the
`auth_destroy_expired_sessions` cron job. Both mechanisms delete the session record from
`usr_session` and `usr_sess_istorage`, and close the corresponding raw statistics entry.
- **When a user account is deleted**: All sessions for that user are destroyed via
`ilSession::_destroyByUserId()`, which deletes all records from the `usr_session` table
where `user_id` matches the deleted account.
- **Raw session statistics cleanup**: Aggregated raw session data older than 7 days is
automatically deleted by the `deleteAggregatedRaw()` method after each aggregation cycle.
This means individual `usr_session_stats_raw` records (which contain user IDs) are retained
for at most approximately 7 days after the session ended.
- **Residual data**: The aggregated statistics in `usr_session_stats` are fully anonymized
(they contain only counts, not user IDs) and are not deleted when individual users are
removed. The `auth_ext_attr_mapping` configuration data persists until the associated
authentication mode is reconfigured or removed.

## Data being exported

- **Session statistics CSV export**: Persons with the "Write" permission on the Authentication
Administration can export session statistics as CSV files. The export contains the
installation name, the report date, the **full name of the exporting user** (as report
owner), and aggregated session data (time slots, active session counts by min/avg/max,
sessions opened and closed by type). No individual user session records or user IDs are
included in the export.
- There is no other dedicated export of session or authentication data from this component.
Loading