HKAF Identity Assurance Framework

Identity Assurance Profile

The Hong Kong Access Federation (HKAF) provides the trust that member organizations (e.g. universities, research organizations) manage users and authentications good enough as the foundation for Service Provider (SP) Organizations to be confident that the right users are accessing the protected applications. HKAF has implemented the Level-1 Identity Assurance Profile for reference of compliance by member organizations with Identity Providers registered.

Compliance with the HKAF Level-1 Identity Assurance Profile means three things:
1. The User is very likely a human being and not a robot or piece of software.
2. The information associated with the account is usually self-asserted and the User is responsible for it.
3. The Organization’s Identity Management System meets the requirements of HKAF Identity Assurance Level 1 (IDAL1).
The profile specifies the required level of trust in the organization and the administrative processes, practices and significant technologies used in its identity management life-cycle for member organizations who act as Home Organizations.

Identity Management Practice Statement and Identity Assurance Compliance Declaration

Identity Management Practice Statement and Identity Assurance Compliance Declaration

Each organization that wishes to become a Member of HKAF and act as a Home Organization MUST create, publish and maintain an Identity Management Practice Statement (IMPS), which is a description of the Identity Management life-cycle including a description of how identity subjects are enrolled, maintained and removed from its identity management system. The statement MUST contain descriptions of administrative processes, practices and significant technologies used in the identity management life-cycle. The processes, practices and technologies described MUST be able to support a secure and consistent identity management life-cycle for addressing the requirements imposed by the specific Identity Assurance Profile which the organization claims its compliance.

The organization MUST supply the following documents to the HKAF Operator Team to declare its compliance with the requirements of IDAL1:

  • A 'HKAF Level-1 Identity Assurance Compliance Evaluation Form(WORD: 75k) for declaring its compliance with each requirement in the HKAF Level-1 Identity Assurance Profile via a self-audit, by filling in the corresponding box on the form,
  • An 'Identity Management Practice Statement' (WORD: 70.4k) IMPS form for providing the supporting information on how it fulfills each requirement, by filling in the corresponding box on the form, and
  • All documents or links to the publicly published documents, referred to in the IMPS.

The organization SHOULD submit these documents to the HKAF Operator Team, together with the duly-completed 'HKAF Membership Application Form'.

The IMPS should be short and to the point. It should describe essential processes in details - bullet points and short descriptions are usually enough. The descriptions should match reality. In case of a security breach, the related member organization will be audited against its current practice statement. A member organization SHOULD promptly revise its IMPS and associated Identity Assurance Compliance Declaration in case there is change in its Identity Management life-cycle as described in the IMPS, and submit the revised version to the HKAF Operator Team.

The ‘HKAF Level-1 Identity Assurance Compliance Declaration Guide(EXCEL: 32k) and the 'IMPS Guide' (PDF: 118k) provide guidance to the member organization on how to declare its compliance with the requirements in the HKAF Level-1 Identity Assurance Profile and how to provide the corresponding supporting information in the IMPS form.

The HKAF Operator Team will evaluate the submitted IMPS against claims of compliance with the HKAF Level-1 Identity Assurance Profile, before making recommendation on the membership application to the HKAF Steering Committee.