Módosítások

This document is a collection of the information specified in several specific documents written in Hungarian. Since only Hungarian educational and research institutions are expected to be Federation Members (ie. operate an Identity Provider), this document focuses on rules what are relevant to (international) Federation Partners.

Hungarian Research and Educational Federation ('''HREF''') is an identity federation a SAML2-based Identity Federation of Hungarian higher education and research institutions, and for public collections and other content providers. For the end-users, the federation aims to be transparent, therefore the login procedure is communicated as '''''eduID login'''''.

News and information about the federation is located published at http://eduid.hu (Hungarian only)

* Transfer of personal data is only allowed wheneither** authorised by law,or

# Any organisation might join as a '''PartnersPartner'''.

#* supply user identity information to the federation

Partners are may also may send representatives for MB meetings, without voting rights.

The Federation itself is not a legal entity, Members and Partners establish a legal connection to the Federation Operator. Any legal claims between Members and/or Partners shall be directed to the organisation operating the Identity Provider or the Service Provider. The Service Agreement between the Federation Operator and Partner is available '''[http://www.eduid.hu/wp-content/uploads/2012/08/href-contract-partner.doc here]'''.

Information about the entities of the Federation [[HREFMetadataSpecEN | Metadata Specification]] is maintained in a signed XML separate document, called the federation metadata.==== Availability ====The metadata file is available both at http://metadata.eduid.hu/current/href.xml and https://metadata.eduid.hu/current/href.xml, however the unencrypted method is preferred. The file is stored on a highly available file server. The information inside the metadata file must not be trusted after the date specified in the <code>validUntil</code> field of the topmost <code>EntitiesDescriptor</code>. The expiration date of a metadata file is '''7 days''' after the date of the signature. The metadata file is re-signed daily or whenever the entity information changes (eg. entities are added or modified). Entities are expected to refresh metadata information regularly.==== Trust in metadata ========= Verification of the metadata file =====The contents of the metadata file must be trusted only if the signature of the Federation Operator can be validated.

The Federation Operator uses == How to join ===== Production federation ===In order to join the production federation as a self-signed certificate for signing Partner, you need to send the following information:* SP metadata file, therefore URL (HTTPS preferred)* Name of the signing key must be explicitly trusted. Properties SP* Brief description of the signing certificate:service* Service URL* Privacy policy URL* DN: <code>C=HU, O=NIIF Institute, OU=eduID Federation Operator, CN=Metadata Signer/emailAddress=aai@niif.hu</code>Administrative and technical contact names and mail addresses (non-personal preferred)* MD5 fingerprint: <code>21:8C:BE:B4:D1:D6:12:C4:67:9F:16:FA:93:36:F6:A4</code>Required and optional attributes* SHA1 fingerprint: <code>FE:AE:0B:E8:FB:59:ED:F7:CB:7F:69:DF:19:4F:8B:6D:C7:F6:96:66</code>Logo URL (optional)* Availability: from <code>Oct 5 08:18:46 2011 GMT</code> until <code>Sep 30 08:18:46 2031 GMT</code>Helpdesk URL (optional)

The certificate used for signing can This information should be downloaded from https://metadata.eduid.hu/href-metadata-signer-2011.crt , which link should lead to a page without certificate warnings with most browsers. It is recommended sent to request the signing certificate from the Federation Operator by using other verifiable transport as well (such as PGP-signed see [[#Contacts|above]]) in email).===== Signing procedure =====Information about the entities is retrieved from the Resource Registry by using strong server authentication. If the contents Two copies of the metadata changes, it is saved to a version control system and sent to a public mailing list signed Service Agreement ([httpsavailable at http://listserv.niifeduid.hu/mailman/listinfo/hrefdocuments) should be sent by traditional post, one copy will be returned after counter-metadata-changes href-metadata-changes])signing.

The signature is done After the application has been reviewed by a PIN-protected hardware token.===== Signing key change or revocation =====Changes of the signing key/certificate Federation Operator, it is always negotiated with forwarded to the technical contacts of all federation entitiesMembers' Board.==== Authenticating peer entities ====It is recommended usually takes 3-5 working days for all entities the Board to use self-signed certificatesaccept the application, however, even if an after which the entity uses a certificate signed by an external CA, it shall not metadata is be assumed that peers use any kind of path validation or revocation checking.===== Entity certificate change or revocation =====An entity should change its signing certificate by allowing a time frame, when both the old and the new certificate is available in added to the production federation metadata.

If an entity certificate === Testing metadata ===It is compromisedrecommended that a new SP should be registered to the testing federation at first, the Federation Operator must be notified immediately. The certificate which is removed from the metadata much easier and either replaced by a new one or the entity is removed from the metadata file. On such an incident, all technical contacts are notified to do an immediate metadata refresh to shorten the attack windowfully online process.

==== Metadata extensions ====The following information is necessary to enter into the testing metadata:* SP metadata URL (HTTPS preferred)Extension elements should be either interpreted according to their specification or ignored completely * Name of the SP* Administrative and technical contact names and mail addresses (while they are valid XMLnon-personal preferred).* Required and optional attributes

==== Other metadata sets available ====The federation signing engine is able You can ask for test accounts in our Virtual Home Organization. During testing, you might want to produce files other than use the production federation metadata (called metadata sets). These files are available at https://metadata.eduid.hu/current/, all signed by the same credentials as because the federation metadata, therefore it VHO is easy to add them as an auxiliary metadata source.* <code>href-test.xml</code>: staging federation metadata. Any federation member may put entities to this set.* <code>href-edugain.xml</code>: entities that are '''exported''' to [http://edugain.org eduGAIN] confederation. This file is consumed by eduGAIN MDS. As eduGAIN follows an opt-in policy, only those entities are present in this set, whose administrators explicitly requested to be published in eduGAIN.* <code>edugain.xml</code>: entities that are '''imported''' from [http://edugain.org eduGAIN] confederation (minus Hungarian entities).* <code><institution>.xml</code>: institution-specific both metadata sets, which are maintained by institutional administrators. SPs inside this set are not required to be accepted by the federation, thus they can only be used within the institutionfiles.