Production and Test Federation
HKAF provides two complementary technical Federations, a Test Federation and a Production Federation. Both federations have the same tools and core services. However, they operate completely independently.
1. HKAF Production Federation
It provides a high level of trust, high availability and is only for the registration of production servcies.
2. HKAF Test Federation
It provides a test environment for the following functions:
- HKAF tests patches and upgrades before applying to the Production Federation.
- Organizations assess the technologies of HKAF.
- Organizations test their Identity Providers and Service Providers for performing upgrade /development /testing before migration to production. To make the most of the Test Federation, organizations should have an IdP deployed that can be used for these purposes
Usage Policy
- To access the Production Federation, an organization MUST be a HKAF Member, see https://www.hkaf.edu.hk/subscribe/how-to-subscribe/how-to-subscribe. Use of the Production Federation is governed by the HKAF Federation Policy, see https://www.hkaf.edu.hk/federation-policy.
- Only Production Release and User Acceptance Testing (UAT) services can be registered in the Production Federation. All other non-production services must be registered in the HKAF Test Federation.
- An organization may be notified that a service is registered in the incorrect Federation. The organization must register the service in the correct Federation if instructed to do so by the HKAF Operator Team.
- An instance of each production service should be registered first as a test deployment in the Test Federation for initial testing, ongoing support and for the application of future enhancements
and upgrades. - All organizations should operate a test version of their Identity Providers (IdPs) in the HKAF Test Federation that is separate from their production deployment. This ensures that Production IdPs are not impacted by changes that occur in the Test Federation.
Recommendation
- Each IdP and SP should be registered in only one federation at any time.
- Where feasible, a test version of all Production IdPs and SPs should be deployed into the HKAF Test environment.
- All installations, changes, upgrades and patches should be successfully performed in the HKAF Test environment before changing the Production environment.
- It is recommended to use test accounts and attributes when you perform tests in HKAF Test environment. In cases where the use of real accounts or attributes is inevitable, please ensure to use them with a full understanding of the associated risks and at the entity’s own responsibility, and, if necessary, with an agreement in advance among the participating entities. The Test Federation was developed and is operated on the assumption that each entity only uses test accounts and attributes.
Federation Locations
Having two independent federations requires that they will have different addresses, names, certificates, metadata etc., which will create subtle differences in the configuration of the various components. The major difference will be in the URLs used to reference various components. In general, the test federation will use the domain 'test.hkaf.edu.hk' while production will use 'hkaf.edu.hk'. (The word 'test' is removed from the domain).The following tables provide a list of major technical components detailing the differences between the Test and Production Federations. Use "Copy Link Address" from the links below to obtain the correct URL.Most of the HKAF Test environment components will display either "HKAF Test Environment" or "HKAF - Test Federation Deployment" prominently on their web user interface.
| Component | Test Federation | Production Federation |
| Federation Name - Entities descriptor found in the HKAF Metadata, can also appear in attribute-filter.xml. | https://md.test.hkaf.edu.hk/hkaf-test-metadata.xml | https://md.hkaf.edu.hk/hkaf-metadata.xml |
| Metadata - Location of the HKAF Metadata. | Metadata File Signing Certificate | Production Metadata Signing Certificate |
| Federation Registry - Tool for managing the technical components of the federation. | Test Federation Registry | Production Federation Registry |
| Discovery Service (WAYF) - Directs users to their home institution as part of the login process. Required by service providers in the shibboleth2.xml configuration file. | Test Discovery Service | Production Discovery Service |
| HKAF Virtual Home Organisation - Identity Provider for users who require access but are not closely associated with an organisation with an IdP. Also provides access to an attribute reflector testing tool. | Test VHO |
Production VHO |