Módosítások

Hungarian Research and Educational Federation ('''HREF''') is a SAML2-based Identity Federation of Hungarian higher education and research institutions, public collections and other content providers. For the end-users, the federation aims to be transparent, therefore the login procedure is communicated as '''''eduID login'''''.

Information about the entities of the Federation [[HREFMetadataSpecEN | Metadata Specification]] is maintained in a signed XML separate document, called the federation metadata.==== Availability ====The metadata file is available both at http://metadata.eduid.hu/current/href.xml and https://metadata.eduid.hu/current/href.xml, however the unencrypted method is preferred. The file is stored on a highly available file server. The information inside the metadata file must not be trusted after the date specified in the <code>validUntil</code> field of the topmost <code>EntitiesDescriptor</code> is expired. The expiration time is is set to '''7 days''' after the instant of the signature. The metadata file is re-signed every ''4 hours'' or whenever the entity information changes (eg. entities are added or modified). Entities are expected to refresh metadata information regularly, although the <code>cacheDuration</code> attribute is currently not set (for interoperability reasons).==== Trust in metadata ========= Verification of the metadata file =====The contents of the metadata file must be trusted only if the signature of the Federation Operator can be validated. The Federation Operator uses a self-signed certificate for signing the metadata file, therefore the signing key must be explicitly trusted. Properties of the signing certificate:* DN: <code>C=HU, O=NIIF Institute, OU=eduID Federation Operator, CN=Metadata Signer/emailAddress=aai@niif.hu</code>* MD5 fingerprint: <code>21:8C:BE:B4:D1:D6:12:C4:67:9F:16:FA:93:36:F6:A4</code>* SHA1 fingerprint: <code>FE:AE:0B:E8:FB:59:ED:F7:CB:7F:69:DF:19:4F:8B:6D:C7:F6:96:66</code>* Availability: from <code>Oct 5 08:18:46 2011 GMT</code> until <code>Sep 30 08:18:46 2031 GMT</code> The certificate used for signing can be downloaded from https://metadata.eduid.hu/href-metadata-signer-2011.crt , which link should lead to a page without certificate warnings with most browsers. It is recommended to request the signing certificate from the Federation Operator by using some other verifiable transport as well (such as PGP-signed email).===== Signing procedure =====Information about the entities is retrieved from the Resource Registry by using strong server authentication. If the contents of the metadata changes, it is saved to a version control system and the 'diff' is sent to a public mailing list ([https://listserv.niif.hu/mailman/listinfo/href-metadata-changes href-metadata-changes]) The signature is done by a PIN-protected hardware token.===== Signing key change or revocation =====Changes of the signing key/certificate is always negotiated with the technical contacts of all federation entities.==== Authenticating peer entities ====It is recommended for all entities to use self-signed certificates, however, even if an entity uses a certificate signed by an external CA, it shall not be assumed that peers use any kind of PKI path validation or revocation checking.===== Entity certificate change or revocation =====An entity should change its signing certificate by allowing a time frame, when both the old and the new certificate is available in the metadata.  If an entity certificate is compromised, the Federation Operator must be notified immediately. The certificate is removed from the metadata and either replaced by a new one or the entity is removed from the metadata file. On such an incident, all technical contacts are notified to do an immediate metadata refresh to shorten the attack window.

==How to join == Metadata extensions === Production federation ===Extension elements should be either interpreted according In order to join the production federation as a Partner, you need to their specification or ignored completely send the following information:* SP metadata URL (HTTPS preferred)* Name of the SP* Brief description of the service* Service URL* Privacy policy URL* Administrative and technical contact names and mail addresses (non-personal preferred)* Required and optional attributes* Logo URL (optional)* Helpdesk URL (while they are valid XMLoptional).

==== Other available metadata sets ====The federation signing engine is able This information should be sent to produce files other than the federation metadata Federation Operator (called metadata setssee [[#Contacts|above]])in email. These files are Two copies of the signed Service Agreement (available at httpshttp://metadata.eduid.hu/current/, all signed by the same credentials as the federation metadata, therefore it is easy to add them as an auxiliary metadata source.* <code>href-test.xml</code>: staging federation metadata. Any federation member may put entities to this set.* <code>href-edugain.xml</code>: entities that are '''exported''' to [http://edugain.org eduGAIN] confederation. This file is consumed by eduGAIN MDS. As eduGAIN follows an opt-in policy, only those entities are present in this set, whose administrators explicitly requested to be published in eduGAIN.* <code>edugain.xml</code>: entities that are '''imported''' from [http://edugain.org eduGAIN] confederation (minus Hungarian entitiesdocuments).* <code><institution>.xml</code>: institution-specific metadata sets, which are maintained by the administrators of the institution. SPs inside this set are not required to should be accepted sent by the federationtraditional post, thus they are assumed to one copy will be used within the institutionreturned after counter-signing.

== Service levels of After the application has been reviewed by the Federation Operator Services ===== Metadata distribution ===Metadata , it is considered forwarded to be ''available'the Members'Board. It usually takes 3-5 working days for the Board to accept the application, if after which the federation entity metadata file is available and can be validated by using the signing certificate of the Federation Operator. Metadata is considered added to be ''current'', when it is available and the file is generated not earlier than ''8 hours''production federation metadata.

Federation Operator provides Metadata which is '''available in 99.9%''' and '''current in 99%''' of time within any 12 months time frame.=== Resource Registry Testing metadata ===Resource Registry allows administration of the entities of the federation. (Only administrators of Members and the Federation Operators are allowed to use this service). It is considered recommended that a new SP should be registered to be ''available'' if administrator login is possible (given that the Identity Provider testing federation at first, which is working properly)much easier and a fully online process.

Federation Operator provides Resource Registry which The following information is available in '''98%''' of time within any 12 months time frame.necessary to enter into the testing metadata:=== Discovery Service ===* SP metadata URL (HTTPS preferred)Discovery Service is a web form which displays the available Identity Providers * Name of the federation. It uses the [http://docs.oasisSP* Administrative and technical contact names and mail addresses (non-open.org/security/saml/Post2.0/sstc-saml-idp-discovery-cs-01.pdf SAML2 Discovery Profile]. It is considered to be available if it is possible to select Identity Providers according to the named profile (given that the Service Provider is working properlypersonal preferred).* Required and optional attributes

Federation Operator provides Discovery Service which is available You can ask for test accounts in '''99.9%''' of time within any 12 months time frame.=== Virtual Home Organization ===our Virtual Home Organization is an Identity Provider for registering individuals without a Home Organisation. It is considered During testing, you might want to be available if it use the production federation metadata, because the VHO is able to work as an Identity Provider present in terms of the [http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-osboth metadata files.pdf SAML2 SSO Profile]

Federation Operator provides Virtual Home Organization which You do not need to re-register your entity to proceed to the production federation. If we have all the necessary information, the starting of the joining process is available in '''99%''' of time within any 12 months time frameat your discretion.[[Kategória: AAI]][[Kategória: eduid]][[Kategória: english]]