„AboutEduID.hu” változatai közötti eltérés

Innen: KIFÜ Wiki
(Metadata: autosave)
(Trust in metadata)
96. sor: 96. sor:
 
The metadata file is re-signed daily or whenever the entity information changes (eg. entities are added or modified). Entities are expected to refresh metadata information regularly.
 
The metadata file is re-signed daily or whenever the entity information changes (eg. entities are added or modified). Entities are expected to refresh metadata information regularly.
 
==== Trust in metadata ====
 
==== Trust in metadata ====
===== Verification procedure =====
+
===== Verification of the metadata file =====
 
The contents of the metadata file must be trusted only if the signature of the Federation Operator can be validated.
 
The contents of the metadata file must be trusted only if the signature of the Federation Operator can be validated.
  
108. sor: 108. sor:
 
===== Signing procedure =====
 
===== Signing procedure =====
 
Information about the entities is retrieved from the Resource Registry by using strong server authentication. If the contents of the metadata changes, it is saved to a version control system and sent to a public mailing list ([https://listserv.niif.hu/mailman/listinfo/href-metadata-changes href-metadata-changes])
 
Information about the entities is retrieved from the Resource Registry by using strong server authentication. If the contents of the metadata changes, it is saved to a version control system and sent to a public mailing list ([https://listserv.niif.hu/mailman/listinfo/href-metadata-changes href-metadata-changes])
===== Signing key rollover or revocation =====
+
 
===== Registration procedure =====
+
The signature is done by a PIN-protected hardware token.
 +
===== Signing key change or revocation =====
 +
Changes of the signing key/certificate is always negotiated with the technical contacts of all federation entities.
 +
==== Authenticating peer entities ====
 +
It is recommended for all entities to use self-signed certificates, however, even if an entity uses a certificate signed by an external CA, it shall not be assumed that peers use any kind of path validation or revocation checking.
 +
===== Entity certificate change or revocation =====
 +
An entity should change its signing certificate by allowing a time frame, when both the old and the new certificate is available in the metadata.
 +
 
 +
If an entity certificate is compromised, the Federation Operator must be notified immediately. The certificate is removed from the metadata and either replaced by a new one or the entity is removed from the metadata file. On such an incident, all technical contacts are notified to do an immediate metadata refresh to shorten the attack window.
 +
 
 
==== Metadata extensions ====
 
==== Metadata extensions ====
 
==== Other metadata sets available ====
 
==== Other metadata sets available ====

A lap 2012. március 28., 17:39-kori változata

Purpose of this document

This document is a collection of the information specified in several specific documents written in Hungarian. Since only Hungarian educational and research institutions are expected to be Federation Members (ie. operate an Identity Provider), this document focuses on rules relevant to (international) Federation Partners.

About the federation

Hungarian Research and Educational Federation (HREF) is an identity federation of Hungarian higher education and research institutions, and for public collections and other content providers. For the end-users, the federation aims to be transparent, therefore the login procedure is communicated as eduID login.

Contacts

The Federation is operated by NIIF Institute as a Federation Operator. Questions, concerns or any kind of requests about the Federation should be directed to any of the following addresses:

  • aai@niif.hu
  • Kristof Bajnok, NIIF Institute
18-22 Victor H. str
H-1132 Budapest
Hungary

News and information about the federation is located at http://eduid.hu (Hungarian only)

Policy and principles of interoperation

Basic principles

  1. The aim of the Federation is to allow the use of services of its Members and Partners, where authorisation is based on the user information originating from the users' Home Institutions.
  2. Home Institutions must only authenticate users having a known affiliation to them.
  3. IdPs and SPs must not give false or misleading information about themselves.
  4. User information provided by IdPs should be as accurate as possible. SPs must take into account that parts of the received information may be at the discretion of the user.
  5. User credentials (i.e. passwords) stored by IdPs must be protected and verified only through secure procedures.
  6. SPs must request only the user attributes which are absolutely necessary for their operation.
  7. SPs must not ask users for their federation passwords.
  8. SPs must handle personal data according to the local privacy laws.
  9. IdPs and SPs must cooperate in the investigation of possible abuse/fraud.
  10. IT systems running IdPs and SPs must be operated with due diligence.

Data protection

  • Prior joining the federation, every entity needs to publish the Data Protection Policy under which it operates. This policy must be kept up-to-date.
  • Whenever the Data Protection Policy changes, the Federation Operator must be notified.
  • Transfer of personal data is only allowed when
    • authorised by law,
    • the user expressed his or her consent on the data transfer.

Rules of membership

The Federation is operated by the Federation Operator, that also operates the national research network. Further participants are Members and Partners that must have a signed contract with the Operator.

  1. The following institutions may be Members of the federation:
    • Institutions of the higher education;
    • Institutions of the Hungarian Research Academy and other research institutions;
    • Institutions of secondary education;
    • Public collections.
  2. Any organisation might join as Partners.
  3. All Members and Partners of the Federation might provide services.
  4. A Partner might participate in the meeting of the Members' Board as an observer, without having rights to vote.
  5. Only Members are entitled to
    • supply user information to the federation
    • send representatives into the Members' Board with a right to vote.

Governance

The governance body of the federation is the Members' Board (MB). Every Federation Member may send one representative person to the Members' Board, who has one vote.

The working language of the MB is Hungarian. The Board publishes its decisions and guidelines at http://eduid.hu/dokumentumok in Hungarian, although whenever the topic is of interest of any international Partner, it shall be translated to English and the administrative contacts shall be notified.

MB is authorised to

  • accept new Federation documents or modify existing ones,
  • accept application of new Members and Partners

Partners are also may send representatives for MB meetings, without voting rights.

Legal

The Federation itself is not a legal entity, Members and Partners establish a legal connection to the Federation Operator. Any legal claims shall be directed to the organisation operating the Identity Provider or the Service Provider.

Technical information

Operational requirements

Attributes

Attribute Specification is maintained in a separate document.

As a brief summary, the following attributes are mandatory or recommended:

Mandatory attributes Recommended attributes
eduPersonPrincipalName displayName
eduPersonTargetedID mail
eduPersonScopedAffiliation eduPersonEntitlement
schacHomeOrganizationType

IdPs may implement other attributes.

Metadata

Information about the entities of the Federation is maintained in a signed XML document, called the federation metadata.

Availability

The metadata file is available both at http://metadata.eduid.hu/current/href.xml and https://metadata.eduid.hu/current/href.xml, however the unencrypted method is preferred. The file is stored on a highly available file server.

The information inside the metadata file must not be trusted after the date specified in the validUntil field of the topmost EntitiesDescriptor. The expiration date of a metadata file is 7 days after the date of the signature.

The metadata file is re-signed daily or whenever the entity information changes (eg. entities are added or modified). Entities are expected to refresh metadata information regularly.

Trust in metadata

Verification of the metadata file

The contents of the metadata file must be trusted only if the signature of the Federation Operator can be validated.

The Federation Operator uses a self-signed certificate for signing the metadata file, therefore the signing key must be explicitly trusted. Properties of the signing certificate:

  • DN: C=HU, O=NIIF Institute, OU=eduID Federation Operator, CN=Metadata Signer/emailAddress=aai@niif.hu
  • MD5 fingerprint: 21:8C:BE:B4:D1:D6:12:C4:67:9F:16:FA:93:36:F6:A4
  • SHA1 fingerprint: FE:AE:0B:E8:FB:59:ED:F7:CB:7F:69:DF:19:4F:8B:6D:C7:F6:96:66
  • Availability: from Oct 5 08:18:46 2011 GMT until Sep 30 08:18:46 2031 GMT

The certificate used for signing can be downloaded from https://metadata.eduid.hu/href-metadata-signer-2011.crt , which link should lead to a page without certificate warnings with most browsers. It is recommended to request the signing certificate from the Federation Operator by using other verifiable transport as well (such as PGP-signed email).

Signing procedure

Information about the entities is retrieved from the Resource Registry by using strong server authentication. If the contents of the metadata changes, it is saved to a version control system and sent to a public mailing list (href-metadata-changes)

The signature is done by a PIN-protected hardware token.

Signing key change or revocation

Changes of the signing key/certificate is always negotiated with the technical contacts of all federation entities.

Authenticating peer entities

It is recommended for all entities to use self-signed certificates, however, even if an entity uses a certificate signed by an external CA, it shall not be assumed that peers use any kind of path validation or revocation checking.

Entity certificate change or revocation

An entity should change its signing certificate by allowing a time frame, when both the old and the new certificate is available in the metadata.

If an entity certificate is compromised, the Federation Operator must be notified immediately. The certificate is removed from the metadata and either replaced by a new one or the entity is removed from the metadata file. On such an incident, all technical contacts are notified to do an immediate metadata refresh to shorten the attack window.

Metadata extensions

Other metadata sets available

Federation Operator services

Metadata distribution

Resource Registry

Discovery Service

Virtual Home Organization