Módosítások

This document is a collection of the information specified in several specific documents written in Hungarian. Since only Hungarian educational and research institutions are expected to be Federation Members (ie. operate an Identity Provider), this document focuses on rules what are relevant to (international) Federation Partners.

Hungarian Research and Educational Federation ('''HREF''') is an identity federation a SAML2-based Identity Federation of Hungarian higher education and research institutions, and for public collections and other content providers. For the end-users, the federation aims to be transparent, therefore the login procedure is communicated as '''''eduID login'''''.

News and information about the federation is located published at http://eduid.hu (Hungarian only)

* Transfer of personal data is only allowed wheneither** authorised by law,or

# Any organisation might join as a '''PartnersPartner'''.

#* supply user identity information to the federation

Partners are may also may send representatives for MB meetings, without voting rights.

The Federation itself is not a legal entity, Members and Partners establish a legal connection to the Federation Operator. Any legal claims between Members and/or Partners shall be directed to the organisation operating the Identity Provider or the Service Provider. The Service Agreement between the Federation Operator and Partner is available '''[http://www.eduid.hu/wp-content/uploads/2012/08/href-contract-partner.doc here]'''.

Information about the entities of the Federation [[HREFMetadataSpecEN | Metadata Specification]] is maintained in a signed XML separate document, called the federation metadata. ==How to join == Availability ===Production federation ===In order to join the production federation as a Partner, you need to send the following information:The * SP metadata file is URL (HTTPS preferred)* Name of the SP* Brief description of the service* Service URL* Privacy policy URL* Administrative and technical contact names and mail addresses (non-personal preferred)* Required and optional attributes* Logo URL (optional)* Helpdesk URL (optional) This information should be sent to the Federation Operator (see [[#Contacts|above]]) in email. Two copies of the signed Service Agreement (available both at http://metadata.eduid.hu/current/href.xml and https://metadata.eduid.hu/current/href.xmldocuments) should be sent by traditional post, however the unencrypted method is preferred. The file is stored on a highly available file serverone copy will be returned after counter-signing.

The information inside After the metadata file must not be trusted after application has been reviewed by the date specified in Federation Operator, it is forwarded to the <code>validUntil</code> field of the topmost <code>EntitiesDescriptor</code>Members' Board. The expiration date of a metadata file is '''7 It usually takes 3-5 working days''' for the Board to accept the application, after which the date of entity metadata is be added to the signatureproduction federation metadata.

The metadata file is re-signed daily or whenever the entity information changes (eg. entities are added or modified). Entities are expected to refresh metadata information regularly.==== Trust in Testing metadata ========= Verification procedure =====The contents of the metadata file must It is recommended that a new SP should be trusted only if registered to the signature of the Federation Operator can be validatedtesting federation at first, which is much easier and a fully online process.

The Federation Operator uses a self-signed certificate for signing following information is necessary to enter into the testing metadata file, therefore the signing key must be explicitly trusted. Properties of the signing certificate:* DN: <code>C=HU, O=NIIF Institute, OU=eduID Federation Operator, CN=Metadata Signer/emailAddress=aai@niif.hu</code>SP metadata URL (HTTPS preferred)* MD5 fingerprint: <code>21:8C:BE:B4:D1:D6:12:C4:67:9F:16:FA:93:36:F6:A4</code>Name of the SP* SHA1 fingerprint: <code>FE:AE:0B:E8:FB:59:ED:F7:CB:7F:69:DF:19:4F:8B:6D:C7:F6:96:66</code>Administrative and technical contact names and mail addresses (non-personal preferred)* Availability: from <code>Oct 5 08:18:46 2011 GMT</code> until <code>Sep 30 08:18:46 2031 GMT</code>Required and optional attributes

The certificate used You can ask for signing can be downloaded from https://metadatatest accounts in our Virtual Home Organization.eduid.hu/href-metadata-signer-2011.crt During testing, which link should lead you might want to a page without certificate warnings with most browsers. It is recommended to request use the signing certificate from production federation metadata, because the Federation Operator by using other verifiable transport as well (such as PGP-signed email).===== Signing procedure =====Information about the entities VHO is retrieved from the Resource Registry by using strong server authentication. If the contents of the present in both metadata changes, it is saved to a version control system and sent to a public mailing list ([https://listserv.niiffiles.hu/mailman/listinfo/href-metadata-changes href-metadata-changes])===== Signing key rollover or revocation ========== Registration procedure ========= Metadata extensions ======== Other metadata sets available ====