Shibboleth IdP Installation and Configuration Guides
Support Desk
The HKAF Support Desk operates during business hours in Hong Kong (Monday-Friday 9:00am-5:30pm Hong Kong Standard Time, excluding gazetted General Holidays of Hong Kong). It is a single point of contact for getting in touch with the HKAF Operator Team. If you are experiencing issues or need assistance with the Federation and tools, please contact This email address is being protected from spambots. You need JavaScript enabled to view it..
FAQ
Install Shibboleth Identity Providers (IdP)
Install Shibboleth Service Providers (SP)
- Shibboleth SP Installation & Configuration Guides
Troubleshoot the IdP3
HKAF Attribute Set
1. HKAF Core Attributes
The following is the list of core attributes used within the HKAF. HKAF Members acting as Home Organizations need to collect or generate the core attributes regarding their End Users in their Identity Providers. When an End User tries to access a service via the Federation, the Service Provider may request some or all of these attributes about the End User from the Identity Provider. With end user permission, the Identity Provider may release the attributes to the Service Provider.
The attributes are used by the Service Provider to make authorization decisions and to manage the User’s experience with the service. Service Provider Organizations should consider which attributes they need in order to provide the service effectively and only request those attributes that are needed. The list of core attributes may evolve over time in response to the needs of HKAF Subscribers.
Attribute |
Example Value |
Meaning |
|---|---|---|
| eduPersonAffiliation | staff | Specifies the person’s relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc. |
| eduPersonScopedAffiliation | This email address is being protected from spambots. You need JavaScript enabled to view it. | Specifies the person’s affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc. |
| eduPersonAssurance | urn:mace:aaf.edu.au:iap:id:1 | Set of URIs that assert compliance with specific identity assurance profile. |
| eduPersonPrincipalName | This email address is being protected from spambots. You need JavaScript enabled to view it. | The "NetID" of the person for the purposes of inter-institutional authentication. |
| SAML2 Persistent NameID (eduPersonTargetedID) | 7eak0QQIEhygtPXtpgmu5I5hRnY | A persistent, non-reassigned, privacy-preserving identifier for a principal shared between a pair of coordinating entities. |
| cn | Chan Tai Man | User’s First Name then Surname. |
| displayName | Chan, Tai Man | Preferred name of a person to be used when displaying entries. |
| This email address is being protected from spambots. You need JavaScript enabled to view it. | Email Address, single value. User’s preferred outward facing email address with regard to the organization. |
HKAF also recommends Members implement the following attributes not currently in the Core Attribute list. It can assist in interacting with some federation services.
2. HKAF Recommended Attributes
| Attribute | Example Value | Meaning |
| givenName | Peter | A persons first name or preferred name |
| sn (surname) | CHAN | A persons surname |
| schacHomeOrganization | polyu.edu.hk | Specifies a person’s home organisation using the domain name of the organisation. |
The Core Attributes together with the Recommended Attributes form a standard attribute vocabulary for the Research and Education sector. The HKAF subscribers may find it useful to explore additional user attributes. However, HKAF Identity Providers are only required to support those attributes in the Core Attribute list.
The LDAP Schema definitions (LDIFs) needed to extend your directory can be found by clicking the following links: