edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: "Cheng, Jonathan [ITS]" <jonathan.cheng AT polyu.edu.hk>
- To: "jiny92 AT kisti.re.kr" <jiny92 AT kisti.re.kr>, "edugain-discuss AT lists.geant.org" <edugain-discuss AT lists.geant.org>
- Cc: Brook Schofield <Brook.Schofield AT geant.org>
- Subject: RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership
- Date: Tue, 3 Oct 2017 08:38:34 +0000
- Accept-language: en-GB, en-US
- Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=polyu.edu.hk
- Authentication-results: spf=none (sender IP is ) smtp.mailfrom=jonathan.cheng AT polyu.edu.hk;
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Hi Jinyong
Thank you very much for your questions and comments.
I am Jonathan Cheng from the Hong Kong Polytechnic University. I am the Team Lead of the HKAF Operator Team, with members from the JUCC office and five JUCC Full Member Institutions.
Our responses to your questions and comments are provided below in bolded green texts in larger font. Please feel free to let us know if you have further questions or comments.
Cheers Jonathan
From:
振溶[Jinyong Jo] [mailto:jinyong.jo AT gmail.com]
Hello HKAF,
I think, the overall documents are well organized and the policies are clearly described.
My questions/comments:
1. It seems that SAML WebSSO Technology Profile is not posted on the web site.
The HKAF SAML WebSSO Technology Profile has been uploaded and is now available on the website. (Thank you for reminding us.)
2. Compelling "Federation members MUST collect and generate HKAF Core Attributes [1]" would act as a barrier when eduGAIN-federated IdPs try to access any relying parties held by HKAF's Associate Members. It will be better if HKAF relaxes the compulsory clause to the level of Attribute Bundle in REFEDS R&S Category [2].
The HKAF Federation Policy mandates the Home Organizations to collect or generate the 7 Core Attributes for their End Users in their IdPs, in order to make it sufficient for the deployment of the majority of SPs in most of the cases. In fact, the 4 yellow-shaded attributes are addressing the required and optional data elements specified in the REFEDS R&S attribute bundle. · eduPersonAffiliation · eduPersonScopedAffiliation · eduPersonAssurance · eduPersonPrincipalName · cn (commonName) · displayName
Furthermore, the HKAF Data Protection Profile defines the attribute processing principles that the deployment of SP must follow. The second principle states that: ‘The SP Organization agrees and warrants for all of its SPs to minimize the Attributes requested from a Home Organization to those that are adequate, relevant and not excessive for enabling access to the service and, where a number of Attributes could be used to provide access to the service, use the least intrusive Attributes possible. [Data minimization]’ HKAF encourages members (Associate or Full) to adopt the ‘data minimization’ principle in the deployment of their SPs, from the consideration of data protection as well as making it easier for target IdPs to support. Basically, the SP organizations would not request for all available attributes of the End User just because the IdPs will provide them on user consent.
3. Especially for eduPersonAssurance [3], how about letting SPs determine required level of LoA and control access by themselves, instead of enforcing the mandatory use of the attribute?
The HKAF Federation Policy only asks Home Organizations to generate the eduPersonAssurance attribute for their End Users in the IdPs in accordance with the HKAF Identity Assurance Profile. It is totally up to the SPs to determine the required Identity Assurance Level for access authorization.
4. I wonder what the exact meaning of the 'sponsored' in the sentence "The associated membership of an organization must be sponsored by a full member [4]" and how HKAF can verify the eligibility of the sponsored membership. It seems likely that foreign SPs will be federated very limitedly depending on the meaning.
It means that the application of HKAF Associate membership by the organization must be supported by a HKAF Full Member organization, but not in the sense of finance. A typical scenario is that a HKAF Full Member institution sponsors the HKAF Associate membership application of another organization for registering and connecting SPs to HKAF for providing services to support R&E of the institution. However, this does not affect the access to SPs already registered with other federations.
5. I just want to know target applications/services HKAF pursues. The strict policy and profiles are fully understandable If the federated use of supercomputers or hpc resources is an ultimate goal. However, i would like HKAF to slightly mitigate the compelling stuff to accept wide variety of SPs.
The primary sector of applications /services which HKAF targets to pursue is Research and Education. The approach we have adopted in formulating our policy framework is to strike a balance between ‘making it very easy for organizations to register IdPs and SPs for connecting to the federation’ and ‘providing confidence and peace of mind to our potential members and our peer international federations on the level of security and data protection practices adopted by HKAF and its members’. We would like End Users affiliated with HKAF members to be regarded by all federations as first-class trust-worthy netizens. Furthermore, SPs registered with HKAF can be trusted by Home Organizations all over the world. We will continuously monitor the development of the global federation ecosystem and make necessary adjustment to our policy framework in the future.
[1] Hong Kong Access Federation (HKAF) Federation Policy, p. 15 [3] Hong Kong Access Federation (HKAF) Attribute Profile, p. 6 [4] Hong Kong Access Federation (HKAF) Eligibility Policy, p. 5
Cheers, Jinyong JO, KAFE/KISTI
2017-09-28 23:28 GMT+09:00 Brook Schofield <brook.schofield AT geant.org>:
www.polyu.edu.hk/80anniversary This message (including any attachments) contains confidential information intended for a specific individual and purpose. If you are not the intended recipient, you should delete this message and notify the sender and The Hong Kong Polytechnic University (the University) immediately. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited and may be unlawful. The University specifically denies any responsibility for the accuracy or quality of information obtained through University E-mail Facilities. Any views and opinions expressed are only those of the author(s) and do not necessarily represent those of the University and the University accepts no liability whatsoever for any losses or damages incurred or caused to any party as a result of the use of such information. |
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, 振溶 [Jinyong Jo], 02-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 10/03/2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, 振溶 [Jinyong Jo], 10-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 10-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Anass Chabli, 10-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 11-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Anass Chabli, 11-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Nick Roy, 11-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Peter Schober, 11-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 14-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Anass Chabli, 11-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Rhys Smith, 13-Oct-2017
- SV: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Pål Axelsson, 13-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 11-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Anass Chabli, 10-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 10-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, 振溶 [Jinyong Jo], 10-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 10/03/2017
Archive powered by MHonArc 2.6.19.