FAQ

I cannot login / forgot my password. Who can help me?

Please contact the Help Desk at your Home Organization.

How to verify the entity ID for your IdP?

All Federation Metadata of the Hong Kong Access Federation is managed using the HKAF Federation Registry.  Note that there is one Federation Registry for the Production Federation and one Federation Registry for the Test Federation.  The two federations are completely separate and independent.  You can access the Federation Registry by clicking the following links:

1. Production Federation

• https://manager.hkaf.edu.hk/federationregistry/

• https://manager.test.hkaf.edu.hk/federationregistry/

One you have logged in, click on the IdP /SP that you are concerned with.  The Overview tab contains the core information about the selected IdP /SP.  The Entity Descriptor is also known as the SAML entity ID.  This value must match the configuration for your Identity Provider or Service Provider.

An example entity ID for a Shibboleth Identity Provider might look like:

• https://idp.example.edu.hk/idp/shibboleth

An example entity ID for a Shibboleth Service Provider might look like:

• https://sp.example.edu.hk/shibboleth

For a Shibboleth Identity Provider, the entity ID attribute is defined in the config file relying-party.xml under the elements <rp:DefaultRelyingParty> and <rp:AnonymousRelyingParty> as well as in attribute-resolver.xml under the <resolver:DataConnector> element.

For a Shibboleth Service Provider, the entity ID attribute is defined in the config file shibboleth2.xml under the <ApplicationDefaults> element.

The entity ID in the Federation Metadata MUST match the entity ID in your local configuration, otherwise federation endpoints will not be able to identify and refer to your IdP /SP.

Note that, if you want to change an entity ID on the Federation Registry side, you cannot do this as a normal user.  You will have to log a support call for a Federation Registry administrator to action this for you.

I cannot update the HKAF IDP by running the update script?

You may encounter the below issue when performing the update by using the below shell script on HKAF version IDP (/opt/shibboleth-idp-installer/repository/update_idp.sh). 

Error message:

         fatal: [Your IDP Domain]: FAILED! => {"msg": "The conditional check 'security_sql | changed' failed. The error was: template error while templating string: no filter named 'changed'. String: {% if security_sql | changed %} True {% else %} False {% endif %}\n\nThe error appears to be in '/opt/shibboleth-idp-installer/repository/tasks/db.yml': line 37, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: 'Run lock_down_db.sql'\n  ^ here\n"}

Please try update below file under file path - /opt/shibboleth-idp-installer/repository/tasks to facilitate the problem accordingly.

### before changed ###

db.yml:  when: security_sql | changed

firewalld.yml:  when: firewall | changed

### after changed ###

db.yml:  when: security_sql is changed

firewalld.yml:  when: firewall is changed

Please back up your system before you would perform above changes.