AboutEduID.hu

Innen: KIFÜ Wiki
A lap korábbi változatát látod, amilyen Bajnokk(AT)niif.hu (vitalap | szerkesztései) 2012. március 30., 13:51-kor történt szerkesztése után volt. (metadata sign interval correction, otherwise mostly language polishing)

Purpose of this document

This document is a collection of the information specified in several specific documents written in Hungarian. Since only Hungarian educational and research institutions are expected to be Federation Members (ie. operate an Identity Provider), this document focuses on rules what are relevant to (international) Federation Partners.

About the federation

Hungarian Research and Educational Federation (HREF) is a SAML2-based Identity Federation of Hungarian higher education and research institutions, public collections and other content providers. For the end-users, the federation aims to be transparent, therefore the login procedure is communicated as eduID login.

Contacts

The Federation is operated by NIIF Institute as a Federation Operator. Questions, concerns or any kind of requests about the Federation should be directed to any of the following addresses:

  • aai@niif.hu
  • Kristof Bajnok, NIIF Institute
18-22 Victor H. str
H-1132 Budapest
Hungary

News and information about the federation is published at http://eduid.hu (Hungarian only)

Policy and principles of interoperation

Basic principles

  1. The aim of the Federation is to allow the use of services of its Members and Partners, where authorisation is based on the user information originating from the users' Home Institutions.
  2. Home Institutions must only authenticate users having a known affiliation to them.
  3. IdPs and SPs must not give false or misleading information about themselves.
  4. User information provided by IdPs should be as accurate as possible. SPs must take into account that parts of the received information may be at the discretion of the user.
  5. User credentials (i.e. passwords) stored by IdPs must be protected and verified only through secure procedures.
  6. SPs must request only the user attributes which are absolutely necessary for their operation.
  7. SPs must not ask users for their federation passwords.
  8. SPs must handle personal data according to the local privacy laws.
  9. IdPs and SPs must cooperate in the investigation of possible abuse/fraud.
  10. IT systems running IdPs and SPs must be operated with due diligence.

Data protection

  • Prior joining the federation, every entity needs to publish the Data Protection Policy under which it operates. This policy must be kept up-to-date.
  • Whenever the Data Protection Policy changes, the Federation Operator must be notified.
  • Transfer of personal data is only allowed when either
    • authorised by law, or
    • the user expressed his or her consent on the data transfer.

Rules of membership

The Federation is operated by the Federation Operator, that also operates the national research network. Further participants are Members and Partners that must have a signed contract with the Operator.

  1. The following institutions may be Members of the federation:
    • Institutions of the higher education;
    • Institutions of the Hungarian Research Academy and other research institutions;
    • Institutions of secondary education;
    • Public collections.
  2. Any organisation might join as a Partner.
  3. All Members and Partners of the Federation might provide services.
  4. A Partner might participate in the meeting of the Members' Board as an observer, without having rights to vote.
  5. Only Members are entitled to
    • supply user identity information to the federation
    • send representatives into the Members' Board with a right to vote.

Governance

The governance body of the federation is the Members' Board (MB). Every Federation Member may send one representative person to the Members' Board, who has one vote.

The working language of the MB is Hungarian. The Board publishes its decisions and guidelines at http://eduid.hu/dokumentumok in Hungarian, although whenever the topic is of interest of any international Partner, it shall be translated to English and the administrative contacts shall be notified.

MB is authorised to

  • accept new Federation documents or modify existing ones,
  • accept application of new Members and Partners

Partners may also send representatives for MB meetings, without voting rights.

Legal

The Federation itself is not a legal entity, Members and Partners establish a legal connection to the Federation Operator. Any legal claims between Members and/or Partners shall be directed to the organisation operating the Identity Provider or the Service Provider.

Technical information

Operational requirements

Attributes

Attribute Specification is maintained in a separate document.

As a brief summary, the following attributes are mandatory or recommended:

Mandatory attributes Recommended attributes
eduPersonPrincipalName displayName
eduPersonTargetedID mail
eduPersonScopedAffiliation eduPersonEntitlement
schacHomeOrganizationType

IdPs may implement other attributes.

Metadata

Information about the entities of the Federation is maintained in a signed XML document, called the federation metadata.

Availability

The metadata file is available both at http://metadata.eduid.hu/current/href.xml and https://metadata.eduid.hu/current/href.xml, however the unencrypted method is preferred. The file is stored on a highly available file server.

The information inside the metadata file must not be trusted after the date specified in the validUntil field of the topmost EntitiesDescriptor is expired. The expiration time is is set to 7 days after the instant of the signature.

The metadata file is re-signed every 4 hours or whenever the entity information changes (eg. entities are added or modified). Entities are expected to refresh metadata information regularly, although the cacheDuration attribute is currently not set (for interoperability reasons).

Trust in metadata

Verification of the metadata file

The contents of the metadata file must be trusted only if the signature of the Federation Operator can be validated.

The Federation Operator uses a self-signed certificate for signing the metadata file, therefore the signing key must be explicitly trusted. Properties of the signing certificate:

  • DN: C=HU, O=NIIF Institute, OU=eduID Federation Operator, CN=Metadata Signer/emailAddress=aai@niif.hu
  • MD5 fingerprint: 21:8C:BE:B4:D1:D6:12:C4:67:9F:16:FA:93:36:F6:A4
  • SHA1 fingerprint: FE:AE:0B:E8:FB:59:ED:F7:CB:7F:69:DF:19:4F:8B:6D:C7:F6:96:66
  • Availability: from Oct 5 08:18:46 2011 GMT until Sep 30 08:18:46 2031 GMT

The certificate used for signing can be downloaded from https://metadata.eduid.hu/href-metadata-signer-2011.crt , which link should lead to a page without certificate warnings with most browsers. It is recommended to request the signing certificate from the Federation Operator by using some other verifiable transport as well (such as PGP-signed email).

Signing procedure

Information about the entities is retrieved from the Resource Registry by using strong server authentication. If the contents of the metadata changes, it is saved to a version control system and the 'diff' is sent to a public mailing list (href-metadata-changes)

The signature is done by a PIN-protected hardware token.

Signing key change or revocation

Changes of the signing key/certificate is always negotiated with the technical contacts of all federation entities.

Authenticating peer entities

It is recommended for all entities to use self-signed certificates, however, even if an entity uses a certificate signed by an external CA, it shall not be assumed that peers use any kind of PKI path validation or revocation checking.

Entity certificate change or revocation

An entity should change its signing certificate by allowing a time frame, when both the old and the new certificate is available in the metadata.

If an entity certificate is compromised, the Federation Operator must be notified immediately. The certificate is removed from the metadata and either replaced by a new one or the entity is removed from the metadata file. On such an incident, all technical contacts are notified to do an immediate metadata refresh to shorten the attack window.

Metadata extensions

Extension elements should be either interpreted according to their specification or ignored completely (while they are valid XML).

Other available metadata sets

The federation signing engine is able to produce files other than the federation metadata (called metadata sets). These files are available at https://metadata.eduid.hu/current/, all signed by the same credentials as the federation metadata, therefore it is easy to add them as an auxiliary metadata source.

  • href-test.xml: staging federation metadata. Any federation member may put entities to this set.
  • href-edugain.xml: entities that are exported to eduGAIN confederation. This file is consumed by eduGAIN MDS. As eduGAIN follows an opt-in policy, only those entities are present in this set, whose administrators explicitly requested to be published in eduGAIN.
  • edugain.xml: entities that are imported from eduGAIN confederation (minus Hungarian entities).
  • <institution>.xml: institution-specific metadata sets, which are maintained by the administrators of the institution. SPs inside this set are not required to be accepted by the federation, thus they are assumed to be used within the institution.

Service levels of Federation Operator Services

Metadata distribution

Metadata is considered to be available, if the federation metadata file is available and can be validated by using the signing certificate of the Federation Operator. Metadata is considered to be current, when it is available and the file is generated not earlier than 8 hours.

Federation Operator provides Metadata which is available in 99.9% and current in 99% of time within any 12 months time frame.

Resource Registry

Resource Registry allows administration of the entities of the federation. (Only administrators of Members and the Federation Operators are allowed to use this service). It is considered to be available if administrator login is possible (given that the Identity Provider is working properly).

Federation Operator provides Resource Registry which is available in 98% of time within any 12 months time frame.

Discovery Service

Discovery Service is a web form which displays the available Identity Providers of the federation. It uses the SAML2 Discovery Profile. It is considered to be available if it is possible to select Identity Providers according to the named profile (given that the Service Provider is working properly).

Federation Operator provides Discovery Service which is available in 99.9% of time within any 12 months time frame.

Virtual Home Organization

Virtual Home Organization is an Identity Provider for registering individuals without a Home Organisation. It is considered to be available if it is able to work as an Identity Provider in terms of the SAML2 SSO Profile

Federation Operator provides Virtual Home Organization which is available in 99% of time within any 12 months time frame.