edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: "Cheng, Jonathan [ITS]" <jonathan.cheng AT polyu.edu.hk>
- To: Anass Chabli <anass.chabli AT renater.fr>, Pål Axelsson <pax AT sunet.se>, Rhys Smith <Rhys.Smith AT jisc.ac.uk>, Nick Roy <nroy AT internet2.edu>
- Cc: jiny92 <jiny92 AT kisti.re.kr>, edugain-discuss <edugain-discuss AT lists.geant.org>, Brook Schofield <Brook.Schofield AT geant.org>
- Subject: RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership
- Date: Sat, 14 Oct 2017 08:00:31 +0000
- Accept-language: en-GB, en-US
- Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (1024-bit key) header.d=polyu.edu.hk
- Authentication-results: spf=none (sender IP is ) smtp.mailfrom=jonathan.cheng AT polyu.edu.hk;
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Dear all
Thank you very much for the last comment from Anass, which is absolutely valid. I would also like to thank Nick, Rhys and Pål for the follow-on comment and feedback. We have spent some time for internal discussion on this at HKAF and this is why we respond a little bit late. I strongly agree with Rhys’ suggestion (shown below) that it is better to over-specify than under-specify the attribute requirements. It is also true that our earlier saying that “Persistent NameID is automatically generated and released real-time by the Shibboleth IdP” is incorrect, which is dependent on the correct configuration.
<Suggestion of Rhys - Start> I would suggest that persistent identifiers and/or eduPersonTargetedID should be called out specifically in any attribute profile for a federation. Just because some instances of software do it “automatically” (though that’s also not quite true), doesn’t mean it shouldn’t be included in the list. If it isn’t included, any entity can not configure it, or unconfigure it, and still be meeting all policy requirements. But their end users will have a hard time interacting with many services.
Better to over-specify than under-specify. <Suggestion of Rhys – End>
We will review and amend our policy framework documents (including the Attribute Profile ) to address the eduPersonTargetedID /Persistent NameID related interoperability issue shortly. We welcome any suggestion on the best way to do this from other federations.
From the discussion on the application of HKAF to join eduGAIN in this mailing list, it seems that attribute interoperability issues need to be addressed both at intra-federation and inter-federation level during policy formulation for new federations. It may also be worthwhile for the eduGAIN community to explore further how this can be handled more effectively.
Regards Jonathan
From: Anass Chabli [mailto:anass.chabli AT renater.fr]
Hi Jonathan,
Thank you for your detailed answers.
I have just a last comment bellow, regarding the last point (Attribute Profile).
Cheers, Anass De:
"Jonathan Cheng, ITS" <jonathan.cheng AT polyu.edu.hk>
Hi Anass
Thank you very much for your comments /questions /recommendations. Our responses are provided below in bolded dark blue text in larger font.
Please feel free to let us know if you have further questions or comments.
Cheers Jonathan
Regarding the French/FÉR/Anass comments: #1 - the barrier is set at 1 member to ensure use of a service - it is hoped that other members will take advantage of this service - but to wait until 2 university (full) members are willing to subscribe or purchase a service might delay the adoption of a federated service - so no change needed.
#2 - This one is interesting:
https://www.hkaf.edu.hk/images/policies/hkaf-eligibility-policy-v1.pdf has a reference in 5.1 and talks about 3.3b above (but there isn’t a 3.3b above- I think you mean 4.3b). Since you state “MUST itself qualify” - so it needs to qualify - and it doesn’t actually HAVE to join as an associate member. I don’t think this is in conflict. The “reputation” statement in 4.3b is something like - if a company that has a data breach is an outsourced provider - you’d want to have confidence in this organisation - even though your direct relationship is with the FULL member. I think it is a reasonable request. You’re not saying you want a relationship with the outsource providers - more that it is a reminder to FULL members that they have to keep their outsource partners in line.
#3 - Answered in your previous email (2nd response to Jinyong) - so it can be regarded as dealt with.
#4 - eduPersonTargetedID is realtime generated and doesn’t need to be specified (unless you think you should add it to section 5.4.2 of your Attribute Profile https://www.hkaf.edu.hk/images/policies/hkaf-attribute-profile-v1.pdf you’ve answered to the fact that you only have CORE and RECOMMENDED attributes - and there is no difference between HKAF and interfederation requirements. It is clear that attribute interoperability and release is a future area of collaboration.
I think that you only need to correct the 3.3b —> 4.3b typo and nothing else - everything can be explained with words.
From: Anass Chabli [mailto:anass.chabli AT renater.fr]
Hi Jonathan,
I found that policies are well detailed and covers the key issues.
Here are some Comments/questions/recommendations:
1- 5.1 Outsourcing the Operation of Identity Provider : The ASSOCIATE membership of an organization MUST be sponsored by a FULL Member. - If we assume that an associate membership main purpose is to provide federated services, it would make more sens to require at least to be sponsored by more than 1 full Member, to ensure that the service is legitimate to be in the federation. If it’s intended to be used only by one member they don’t realy need to be in the federation.
This is for the scenario in which the service provider organization provides the service to a Federation Member in the form of federated service via HKAF, which is also open for adoption by other Members later. The membership sponsorship quorum is set to 1 for the following reasons: · To ensure the Federation Member can adopt the service without the delay caused by having to wait for the sponsorship of additional Members, otherwise. · To open the opportunity for other Federation Members to take advantage of the service at a later stage easily.
2- 5.1 Outsourcing the Operation of Identity Provider : While this outsourcing agreement is in operation, the third-party organization MUST itself qualify as an ASSOCIATE Member of the Federation - By definition ASSOCIATE Members MAY only deploy Service Providers. Why do you require a contract with an ASSOCIATE Member that operates an IdP ? If we assume that the IdP Operator refers to the legal Home Organization they are already reponsible for the overall processes supporting the IdP. While Outsourcing an IdP, I don’t think It’s up to the federation to have contact or a contract with the third-party organization that provides services on behalf the Home Organization.
I would like to apologize that there is a typo error in section 5.1a of the HKAF Eligibility Policy (https://www.hkaf.edu.hk/eligibility-policy) as shown below: 5.1a A FULL Member is permitted to outsource to a third-party organization the operation of its Identity Provider. While this outsourcing agreement is in operation, the third-party organization MUST itself qualify as an ASSOCIATE Member of the Federation, specifically by meeting the criteria set out in 3.3b above.
· ‘3.3b’ should be ‘4.3b’ instead. Section 4.3b states the following: 4.3b The admission of an organization as an ASSOCIATE Member MUST not present any substantive risk to the Federation’s reputation (an example of a substantive risk to the Federation would be one organization’s membership causing another member organization to review its membership because of potential damage to its reputation).
· Section 5.1a only states that the third-party organization MUST QUALIFY as an ASSOCIATE Member. It DOES NOT MANDATE the REGISTRATION of the third-party organization as ASSOCIATE Member. o The objective is to provide HKAF the confidence in the third-party organization even though the direct relationship is with the FULL Member who owns the IDP. (It may be possible that the third-party organization had a data breach before.) o In effect, it serves as a reminder to FULL Members that they have to keep their outsource partners in line.
3- 10.7 Data Privacy and Protection of Personal Rights : - Is there any obligation for IdP/SP operators to publish a privacy and data protection policy (for each service) and make it available for End User ?
The second and third rules in the HKAF Service Provider Management Standard at https://www.hkaf.edu.hk/sp-management-standard address the ‘Data Protection obligation’ (referencing the HKAF Data Protection Profile at https://www.hkaf.edu.hk/data-protection-profile) and ‘Information duty towards End User’ (covering a Privacy Policy) obligation for each Service Provider registered in HKAF.
4- Regarding the Attribute Profile : -I think one core attribute (for Hkaf and Interfederation) is missing : the eduPersonTargetedID/persistentID , used to identify each user individually, in eduGAIN for example some services requires this attribute. -It would be good to distinguish more clearly between attributes for HKAF and Interfederation: -HKAF Core attributes -HKAF Other attributes -Interfederation Core Attributes -Interfederation Other Attributes
· persistentID is automatically generated and released real-time by the Shibboleth IdP and is therefore not specified as a HKAF Core Attribute. Yes, if we assume that all IdPs registered are Shibboleth IdPs, and are configured to store/release the persistentID properly. Otherwise if the Home Organization is using an other Identity Provider solution, they may need to deal with this attribute too.
· We only have CORE and RECOMMENDED attributes, and there is no difference in attribute requirements between HKAF and Interfederation.
Cheers, Anass
De:
"Cheng, Jonathan [ITS]" <jonathan.cheng AT polyu.edu.hk>
Hi Jinyong Thank you very much for your feedback. Our responses to your feedback are provided below in bolded purple texts in larger font. Please feel free to let us know if you have further questions or comments. Cheers Jonathan
From:
振溶[Jinyong Jo] [mailto:jinyong.jo AT gmail.com]
Hello Jonathan,
My apologizes for late return. Korea's 10-day holidays just ended yesterday.
Comments/questions/recommendations:
1. 7-core attributes Does a Korea institution (namely, a foreign full member) have to provide at least 7-core attributes if it wants to federate with a HKAF associate member via eduGAIN?
No. The HKAF Federation Policy only mandates the Home Organizations (i.e. the HKAF Full Members) to collect or generate the 7 Core Attributes for their End Users in their IdPs. The policy does not mandate the HKAF Members to release all of the 7 Core Attributes in their IdPs. Furthermore, the 2nd rule in the HKAF Identity Provider Management Standard (https://www.hkaf.edu.hk/idp-management-standard) states that: “The Home Organization MAY ONLY release Attributes from its Identity Provider to a Service Provider, or another Identity Provider, with the permission of the End User.”
Furthermore, this policy only applies to the IdPs registered by HKAF Members, but not to the other IdPs connected via eduGAIN. For the scenario that you mentioned, the Korea institution just has to release (provide) the attributes that the Service Provider of the HKAF Associate Member requests via eduGAIN (of course with User Consent).
2. eduPersonAssurance Except for an example, it is hard to find any documents describing the format (a URN) of the attribute. Does HKAF use the same URN format as AAF has, and/or allow level 1 only?
We will register the HKAF Level-1 Identity Assurance Profile in the IANA LoA profile shortly in Oct 2017. It will be similar to the SWAMID Level-1 assurance profile.
It seems that HK has very similar data-protection/privacy-policy laws, including code of conducts, with Korea. For us, notifying items and getting user consent are essential before transmitting individual user information to domestic/foreign SPs. We leverage privacy policy statement to notify several items in [4.c.Information duty [1]] to end user. I hope HKAF encourages federation members to use the metadata element <mdui:PrivacyStatementURL>.
[1] HKAF Service Provider Management Standard, p. 5
We will definitely do so.
Cheers, Jinyong Jo KAFE/KISTI
2017-10-03 17:38 GMT+09:00 Cheng, Jonathan [ITS] <jonathan.cheng AT polyu.edu.hk>:
www.polyu.edu.hk/80anniversary This message (including any attachments) contains confidential information intended for a specific individual and purpose. If you are not the intended recipient, you should delete this message and notify the sender and The Hong Kong Polytechnic University (the University) immediately. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited and may be unlawful. The University specifically denies any responsibility for the accuracy or quality of information obtained through University E-mail Facilities. Any views and opinions expressed are only those of the author(s) and do not necessarily represent those of the University and the University accepts no liability whatsoever for any losses or damages incurred or caused to any party as a result of the use of such information.
www.polyu.edu.hk/80anniversary This message (including any attachments) contains confidential information intended for a specific individual and purpose. If you are not the intended recipient, you should delete this message and notify the sender and The Hong Kong Polytechnic University (the University) immediately. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited and may be unlawful. The University specifically denies any responsibility for the accuracy or quality of information obtained through University E-mail Facilities. Any views and opinions expressed are only those of the author(s) and do not necessarily represent those of the University and the University accepts no liability whatsoever for any losses or damages incurred or caused to any party as a result of the use of such information.
www.polyu.edu.hk/80anniversary This message (including any attachments) contains confidential information intended for a specific individual and purpose. If you are not the intended recipient, you should delete this message and notify the sender and The Hong Kong Polytechnic University (the University) immediately. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited and may be unlawful. The University specifically denies any responsibility for the accuracy or quality of information obtained through University E-mail Facilities. Any views and opinions expressed are only those of the author(s) and do not necessarily represent those of the University and the University accepts no liability whatsoever for any losses or damages incurred or caused to any party as a result of the use of such information. |
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, 振溶 [Jinyong Jo], 02-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 03-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, 振溶 [Jinyong Jo], 10-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 10-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Anass Chabli, 10-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 11-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Anass Chabli, 11-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Nick Roy, 11-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Peter Schober, 11-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 10/14/2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Anass Chabli, 11-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Rhys Smith, 13-Oct-2017
- SV: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Pål Axelsson, 13-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 11-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Anass Chabli, 10-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 10-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, 振溶 [Jinyong Jo], 10-Oct-2017
- RE: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Cheng, Jonathan [ITS], 03-Oct-2017
- <Possible follow-up(s)>
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Eimantas Serpenskas, 10-Oct-2017
- Re: [eduGAIN-discuss] Assessment of Hong Kong/HKAF for eduGAIN membership, Brook Schofield, 27-Oct-2017
Archive powered by MHonArc 2.6.19.