edugain-discuss AT
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Anass Chabli <anass.chabli AT>
- To: "Cheng, Jonathan [ITS]" <jonathan.cheng AT>
- Cc: jiny92 AT, edugain-discuss AT, Brook Schofield <Brook.Schofield AT>
- Subject: Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership
- Date: Tue, 10 Oct 2017 10:42:47 +0200 (CEST)
Hi Jonathan,
I found that policies are well detailed and covers the key issues.
Here are some Comments/questions/recommendations:
1- 5.1 Outsourcing the Operation of Identity Provider : The ASSOCIATE membership of an organization MUST be sponsored by a FULL Member.
- If we assume that an associate membership main purpose is to provide federated services, it would make more sens to require at least to be sponsored by more than 1 full Member, to ensure that the service is legitimate to be in the federation.
If it’s intended to be used only by one member they don’t realy need to be in the federation.
2- 5.1 Outsourcing the Operation of Identity Provider : While this outsourcing agreement is in operation, the third-party organization MUST itself qualify as an ASSOCIATE Member of the Federation
- By definition ASSOCIATE Members MAY only deploy Service Providers. Why do you require a contract with an ASSOCIATE Member that operates an IdP ? If we assume that the IdP Operator refers to the legal Home Organization they are already reponsible for the overall processes supporting the IdP.
While Outsourcing an IdP, I don’t think It’s up to the federation to have contact or a contract with the third-party organization that provides services on behalf the Home Organization.
3- 10.7 Data Privacy and Protection of Personal Rights :
- Is there any obligation for IdP/SP operators to publish a privacy and data protection policy (for each service) and make it available for End User ?
4- Regarding the Attribute Profile :
-I think one core attribute (for Hkaf and Interfederation) is missing : the eduPersonTargetedID/persistentID , used to identify each user individually, in eduGAIN for example some services requires this attribute.
-It would be good to distinguish more clearly between attributes for HKAF and Interfederation:
-HKAF Core attributes
-HKAF Other attributes
-Interfederation Core Attributes
-Interfederation Other Attributes
À: jiny92 AT
Cc: edugain-discuss AT, "Brook Schofield" <Brook.Schofield AT>
Envoyé: Mardi 10 Octobre 2017 06:40:36
Objet: RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership
Hi Jinyong
Thank you very much for your feedback.
Our responses to your feedback are provided below in bolded purple texts in larger font. Please feel free to let us know if you have further questions or comments.
振溶[Jinyong Jo] [ AT]
Sent: Tuesday, 10 October 2017 11:49 AM
To: Cheng, Jonathan [ITS] <jonathan.cheng AT>
Cc: edugain-discuss AT; Brook Schofield <Brook.Schofield AT>
Subject: Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership
Hello Jonathan,
My apologizes for late return. Korea's 10-day holidays just ended yesterday.
1. 7-core attributes
Does a Korea institution (namely, a foreign full member) have to provide at least 7-core attributes if it wants to federate with a HKAF associate member via eduGAIN?
No. The HKAF Federation Policy only mandates the Home Organizations (i.e. the HKAF Full Members) to collect or generate the 7 Core Attributes for their End Users in their IdPs. The policy does not mandate the HKAF Members to release all of the 7 Core Attributes in their IdPs. Furthermore, the 2nd rule in the HKAF Identity Provider Management Standard ( states that: “The Home Organization MAY ONLY release Attributes from its Identity Provider to a Service Provider, or another Identity Provider, with the permission of the End User.”
Furthermore, this policy only applies to the IdPs registered by HKAF Members, but not to the other IdPs connected via eduGAIN.
For the scenario that you mentioned, the Korea institution just has to release (provide) the attributes that the Service Provider of the HKAF Associate Member requests via eduGAIN (of course with User Consent).
2. eduPersonAssurance
Except for an example, it is hard to find any documents describing the format (a URN) of the attribute. Does HKAF use the same URN format as AAF has, and/or allow level 1 only?
We will register the HKAF Level-1 Identity Assurance Profile in the IANA LoA profile shortly in Oct 2017. It will be similar to the SWAMID Level-1 assurance profile.
It seems that HK has very similar data-protection/privacy-policy laws, including code of conducts, with Korea. For us, notifying items and getting user consent are essential before transmitting individual user information to domestic/foreign SPs. We leverage privacy policy statement to notify several items in [4.c.Information duty [1]] to end user. I hope HKAF encourages federation members to use the metadata element <mdui:PrivacyStatementURL>.
[1] HKAF Service Provider Management Standard, p. 5
We will definitely do so.
Jinyong Jo
2017-10-03 17:38 GMT+09:00 Cheng, Jonathan [ITS] <jonathan.cheng AT>:
Hi Jinyong
Thank you very much for your questions and comments.
I am Jonathan Cheng from the Hong Kong Polytechnic University. I am the Team Lead of the HKAF Operator Team, with members from the JUCC office and five JUCC Full Member Institutions.
Our responses to your questions and comments are provided below in bolded green texts in larger font. Please feel free to let us know if you have further questions or comments.
From: 振溶[Jinyong Jo] [ AT]
Sent: Monday, 2 October 2017 10:07 AM
To: edugain-discuss AT
Cc: Brook Schofield <Brook.Schofield AT>
Subject: Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership
Hello HKAF,
I think, the overall documents are well organized and the policies are clearly described.
My questions/comments:
1. It seems that SAML WebSSO Technology Profile is not posted on the web site.
The HKAF SAML WebSSO Technology Profile has been uploaded and is now available on the website. (Thank you for reminding us.)
2. Compelling "Federation members MUST collect and generate HKAF Core Attributes [1]" would act as a barrier when eduGAIN-federated IdPs try to access any relying parties held by HKAF's Associate Members. It will be better if HKAF relaxes the compulsory clause to the level of Attribute Bundle in REFEDS R&S Category [2].
The HKAF Federation Policy mandates the Home Organizations to collect or generate the 7 Core Attributes for their End Users in their IdPs, in order to make it sufficient for the deployment of the majority of SPs in most of the cases. In fact, the 4 yellow-shaded attributes are addressing the required and optional data elements specified in the REFEDS R&S attribute bundle.
· eduPersonAffiliation
· eduPersonScopedAffiliation
· eduPersonAssurance
· eduPersonPrincipalName
· cn (commonName)
· displayName
Furthermore, the HKAF Data Protection Profile defines the attribute processing principles that the deployment of SP must follow. The second principle states that:
‘The SP Organization agrees and warrants for all of its SPs to minimize the Attributes requested from a Home Organization to those that are adequate, relevant and not excessive for enabling access to the service and, where a number of Attributes could be used to provide access to the service, use the least intrusive Attributes possible. [Data minimization]’
HKAF encourages members (Associate or Full) to adopt the ‘data minimization’ principle in the deployment of their SPs, from the consideration of data protection as well as making it easier for target IdPs to support. Basically, the SP organizations would not request for all available attributes of the End User just because the IdPs will provide them on user consent.
3. Especially for eduPersonAssurance [3], how about letting SPs determine required level of LoA and control access by themselves, instead of enforcing the mandatory use of the attribute?
The HKAF Federation Policy only asks Home Organizations to generate the eduPersonAssurance attribute for their End Users in the IdPs in accordance with the HKAF Identity Assurance Profile. It is totally up to the SPs to determine the required Identity Assurance Level for access authorization.
4. I wonder what the exact meaning of the 'sponsored' in the sentence "The associated membership of an organization must be sponsored by a full member [4]" and how HKAF can verify the eligibility of the sponsored membership. It seems likely that foreign SPs will be federated very limitedly depending on the meaning.
It means that the application of HKAF Associate membership by the organization must be supported by a HKAF Full Member organization, but not in the sense of finance. A typical scenario is that a HKAF Full Member institution sponsors the HKAF Associate membership application of another organization for registering and connecting SPs to HKAF for providing services to support R&E of the institution. However, this does not affect the access to SPs already registered with other federations.
5. I just want to know target applications/services HKAF pursues. The strict policy and profiles are fully understandable If the federated use of supercomputers or hpc resources is an ultimate goal. However, i would like HKAF to slightly mitigate the compelling stuff to accept wide variety of SPs.
The primary sector of applications /services which HKAF targets to pursue is Research and Education. The approach we have adopted in formulating our policy framework is to strike a balance between ‘making it very easy for organizations to register IdPs and SPs for connecting to the federation’ and ‘providing confidence and peace of mind to our potential members and our peer international federations on the level of security and data protection practices adopted by HKAF and its members’. We would like End Users affiliated with HKAF members to be regarded by all federations as first-class trust-worthy netizens. Furthermore, SPs registered with HKAF can be trusted by Home Organizations all over the world. We will continuously monitor the development of the global federation ecosystem and make necessary adjustment to our policy framework in the future.
[1] Hong Kong Access Federation (HKAF) Federation Policy, p. 15
[3] Hong Kong Access Federation (HKAF) Attribute Profile, p. 6
[4] Hong Kong Access Federation (HKAF) Eligibility Policy, p. 5
Jinyong JO,
2017-09-28 23:28 GMT+09:00 Brook Schofield <brook.schofield AT>:
I present to you the application of:
* Hong Kong/HKAF
who has Signed the eduGAIN Declaration, has a policy based on the federation policy template that covers all the prescribed areas with extensions into useful areas, is self declaring their federation as a production service and is wanting to join the global R&E federated environment. To provide guidance on your assessment I’ve performed a summary (attached) of their policy.
You can find more detailed information about the federation under "eduGAIN Candidates” at
which contains links to their policy and MRPS (which doesn’t follow the MRPS template but does address Home Organisation, IdP and SP registration and production of @scope).
This application is from an organisation that is closely aligned with the GÉANT community via their participation in the APAN and Asi@Connect/TEIN communities. The development of this federation has been supported by the Australian Access Federation (AAF). They are also the eduroam .hk roaming operator.
So I ask the following federations to specifically review the submission by HKAF:* France / FÉR
* Japan/GakuNin
* Korea/KAFE
* Latvia / LAIFE
* Lithuania / LITNET FEDI
All eduGAIN members can (and should) provide feedback on this.
If you have any questions please contact the HKAF team that are subscribed to this mailing list.
This announcement of the assessment of a federation is new to the eduGAIN-Discuss mailing list. It is hoped that this platform will allow the free flow of information between commenters and the HKAF team (which wasn’t possible when this discussion was only on the eduGAIN Steering Group (eSG) mailing list. Formal components of the membership process will continue on the eSG list. Hopefully this will be an improvement to the membership process.
My intention is to call a vote to accept Hong Kong/HKAF as a member after I’ve received confirmation from at least 3 of the specific federations that this policy is inline with their expectations.
Brook Schofield
eduGAIN Steering Group Chair
GÉANTM: +31651553991
Skype: brookschofield
Disclaimer:This message (including any attachments) contains confidential information intended for a specific individual and purpose. If you are not the intended recipient, you should delete this message and notify the sender and The Hong Kong Polytechnic University (the University) immediately. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited and may be unlawful.
The University specifically denies any responsibility for the accuracy or quality of information obtained through University E-mail Facilities. Any views and opinions expressed are only those of the author(s) and do not necessarily represent those of the University and the University accepts no liability whatsoever for any losses or damages incurred or caused to any party as a result of the use of such information.
This message (including any attachments) contains confidential information intended for a specific individual and purpose. If you are not the intended recipient, you should delete this message and notify the sender and The Hong Kong Polytechnic University (the University) immediately. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited and may be unlawful.
The University specifically denies any responsibility for the accuracy or quality of information obtained through University E-mail Facilities. Any views and opinions expressed are only those of the author(s) and do not necessarily represent those of the University and the University accepts no liability whatsoever for any losses or damages incurred or caused to any party as a result of the use of such information.
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, 振溶 [Jinyong Jo], 02-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 03-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, 振溶 [Jinyong Jo], 10-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 10-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Anass Chabli, 10/10/2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 11-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Anass Chabli, 11-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Nick Roy, 11-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Peter Schober, 11-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 14-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Anass Chabli, 11-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Rhys Smith, 13-Oct-2017
- SV: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Pål Axelsson, 13-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 11-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Anass Chabli, 10/10/2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 10-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, 振溶 [Jinyong Jo], 10-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 03-Oct-2017
- <Possible follow-up(s)>
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Eimantas Serpenskas, 10-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Brook Schofield, 27-Oct-2017
Archive powered by MHonArc 2.6.19.