AboutEduID.hu
Tartalomjegyzék
Purpose of this document
This document is a collection of the information specified in several specific documents written in Hungarian. Since only Hungarian educational and research institutions are expected to be Federation Members (ie. operate an Identity Provider), this document focuses on rules what are relevant to (international) Federation Partners.
About the federation
Hungarian Research and Educational Federation (HREF) is a SAML2-based Identity Federation of Hungarian higher education and research institutions, public collections and other content providers. For the end-users, the federation aims to be transparent, therefore the login procedure is communicated as eduID login.
Contacts
The Federation is operated by NIIF Institute as a Federation Operator. Questions, concerns or any kind of requests about the Federation should be directed to any of the following addresses:
- aai@niif.hu
- Kristof Bajnok, NIIF Institute
- 18-22 Victor H. str
- H-1132 Budapest
- Hungary
News and information about the federation is published at http://eduid.hu (Hungarian only)
Policy and principles of interoperation
Basic principles
- The aim of the Federation is to allow the use of services of its Members and Partners, where authorisation is based on the user information originating from the users' Home Institutions.
- Home Institutions must only authenticate users having a known affiliation to them.
- IdPs and SPs must not give false or misleading information about themselves.
- User information provided by IdPs should be as accurate as possible. SPs must take into account that parts of the received information may be at the discretion of the user.
- User credentials (i.e. passwords) stored by IdPs must be protected and verified only through secure procedures.
- SPs must request only the user attributes which are absolutely necessary for their operation.
- SPs must not ask users for their federation passwords.
- SPs must handle personal data according to the local privacy laws.
- IdPs and SPs must cooperate in the investigation of possible abuse/fraud.
- IT systems running IdPs and SPs must be operated with due diligence.
Data protection
- Prior joining the federation, every entity needs to publish the Data Protection Policy under which it operates. This policy must be kept up-to-date.
- Whenever the Data Protection Policy changes, the Federation Operator must be notified.
- Transfer of personal data is only allowed when either
- authorised by law, or
- the user expressed his or her consent on the data transfer.
Rules of membership
The Federation is operated by the Federation Operator, that also operates the national research network. Further participants are Members and Partners that must have a signed contract with the Operator.
- The following institutions may be Members of the federation:
- Institutions of the higher education;
- Institutions of the Hungarian Research Academy and other research institutions;
- Institutions of secondary education;
- Public collections.
- Any organisation might join as a Partner.
- All Members and Partners of the Federation might provide services.
- A Partner might participate in the meeting of the Members' Board as an observer, without having rights to vote.
- Only Members are entitled to
- supply user identity information to the federation
- send representatives into the Members' Board with a right to vote.
Governance
The governance body of the federation is the Members' Board (MB). Every Federation Member may send one representative person to the Members' Board, who has one vote.
The working language of the MB is Hungarian. The Board publishes its decisions and guidelines at http://eduid.hu/dokumentumok in Hungarian, although whenever the topic is of interest of any international Partner, it shall be translated to English and the administrative contacts shall be notified.
MB is authorised to
- accept new Federation documents or modify existing ones,
- accept application of new Members and Partners
Partners may also send representatives for MB meetings, without voting rights.
Legal
The Federation itself is not a legal entity, Members and Partners establish a legal connection to the Federation Operator. Any legal claims between Members and/or Partners shall be directed to the organisation operating the Identity Provider or the Service Provider.
The Service Agreement between the Federation Operator and Partner is available here.
Technical information
Operational requirements
Attributes
Attribute Specification is maintained in a separate document.
As a brief summary, the following attributes are mandatory or recommended:
Mandatory attributes | Recommended attributes |
---|---|
eduPersonPrincipalName | displayName |
eduPersonTargetedID | |
eduPersonScopedAffiliation | eduPersonEntitlement |
schacHomeOrganizationType |
IdPs may implement other attributes.
Metadata
Metadata Specification is maintained in a separate document.
How to join
Production federation
In order to join the production federation as a Partner, you need to send the following information:
- SP metadata URL (HTTPS preferred)
- Name of the SP
- Brief description of the service
- Service URL
- Privacy policy URL
- Administrative and technical contact names and mail addresses (non-personal preferred)
- Required and optional attributes
- Logo URL (optional)
- Helpdesk URL (optional)
This information should be sent to the Federation Operator (see above) in email. Two copies of the signed Service Agreement (available at http://eduid.hu/documents) should be sent by traditional post, one copy will be returned after counter-signing.
After the application has been reviewed by the Federation Operator, it is forwarded to the Members' Board. It usually takes 3-5 working days for the Board to accept the application, after which the entity metadata is be added to the production federation metadata.
Testing metadata
It is recommended that a new SP should be registered to the testing federation at first, which is much easier and a fully online process.
The following information is necessary to enter into the testing metadata:
- SP metadata URL (HTTPS preferred)
- Name of the SP
- Administrative and technical contact names and mail addresses (non-personal preferred)
- Required and optional attributes
You can ask for test accounts in our Virtual Home Organization. During testing, you might want to use the production federation metadata, because the VHO is present in both metadata files.
You do not need to re-register your entity to proceed to the production federation. If we have all the necessary information, the starting of the joining process is at your discretion.