CityU EID in External Sites: Hong Kong Access Federation & EduGain

by Alex Lam


It is very common nowadays for students and staff to access research data, journals and courses online offered by other education institutions or companies over the Internet.  The access usually requires users to sign up and create different user accounts.  This article will detail how the Computing Services Centre (CSC) work together with other institutions in Hong Kong to formulate the Hong Kong Access Federation (HKAF), which leverages new technologies to mitigate this problem.

Identity overload problem in accessing Internet applications

Apart from accessing e-learning resources, we are also using many social media, e-banking, on-line shopping applications, probably multiple times a day.  As these applications are provided by different independent organisations, there is NO common user database (repository) shared amongst them.  Thus, we need to create separate “identity” (e.g. username with password) for each application before we are granted the access.

Furthermore, due to recent emphasis on security protection and compliance, we have to ensure that our passwords are of adequate length and complexity, and have not been reused for a certain period.  Sometimes, we even need to enter an additional security code sent by a SMS message during the authentication process. 

Thus, it is a hassle to use so many “identity keys” which sometimes require technical skills just for identifying ourselves during the access of an application.  The picture below shows such painful experience when accessing multiple Internet applications provided by other education institutions.
                                                      Fig​ure 1.  Identity Overload in accessing multiple Internet applications


Our e-learning experience would be much easier if we could simply use the one trusted identity issued by the University to access multiple applications.  This “identity overload” problem can be overcome by the Access Federation solution.

Access Federation

Before discussing how the Access Federation solution can overcome the “identity overload” problem, let us examine the root cause of this problem.

As discussed earlier, many internet applications use their own user repository (database) and do not want to share with the others. The main reason is that they do not trust each other in

  1. maintaining the validity, accuracy and quality of the user repository (database)
  2. handling of personal or sensitive information in the authentication systems

The following diagram shows there is a lack of TRUST between the home organisation, running the identity provider (idP) and other organisations, the service provider (SP) that provides the application.

                                                                     Figure 2. Lack of trust causes the "Identity Overload" problem


By using the Access Federation, the “Identity overload” problem can be avoided by providing technical and policy frameworks to allow web-based single-sign-on (SSO) to applications within the home organisation as well as those provided by external organisations.  

The major advantages of using Access Federation are as follows

  1. Only one authentication system is required to support applications from both the home and external organisations.
    1. It improves operation cost and efficiency
    2. It reduces setup and management cost
    3. It reduces the time to deliver new applications or services
  2. Users can use the existing credentials issued by their home organisation to access applications from both the home and external organisations
    1. It reduces helpdesk support costs in maintaining multiple user repository
    2. It results in better user experience in using applications with the same credentials (SSO)
  3. ​Enhance the effectiveness of security controls and regulatory compliance verification
    1. By focusing and maintaining security settings on a single authentication system
      1. It focuses more on the security design and controls.
      2. It reduces the use of complicated interfaces among the authentication systems.
      3. It enhances the effectiveness of security measures and controls.
    2. ​By using a single authentication system for multiple applications/systems
      1. It will be more direct to show/compare security compliance across multiple systems
  4. For the home organisation
    1. Users can use their existing credentials to gain access to resources provided by other federation members
  5. For Service Providers
    1. The potential user population will be expanded dramatically if the federation members consist of many thousands of users, e.g. University, etc.

The Hong Kong Access Federation (HKAF)

In order to deliver the advantages of Access Federation across the education and research sector, the HKAF was established in 2016 as Hong Kong’s leading identity broker by Joint Universities Computer Centre Ltd (JUCC).  It is now a vital part of the Hong Kong research infrastructure landscape facilitating trusted electronic communications and collaboration among the education and research institutions both locally and internationally.

The HKAF is operated as a shared service.  Subscribers of the HKAF include leading organisations in the Research and Education sector in Hong Kong.  They are:
  • all public universities funded by the University Grant Committee (UGC);
  • self-financing universities; and,
  • organisations providing online products or services for teaching, learning and research.
How it works

An organisation must join the HKAF before enjoying the Access Federation service.  There are two roles that an organisation can take on in the federation, namely the idP and SP role.   It is also quite common that an organisation may join the HKAF with dual roles.




Identity Provider

The system component that issues attribute assertions on behalf of end users who use them to access the services of SPs.

-      Provides authentication service for members of its organisation when they are authenticated against SP

-      Releases attributes requested by SP but need the approval (consent) by user

Service Provider (SP)

The system component which offers the desired service to the en​d users. It evaluates the authentication outcome and attributes that the IdP of the Home Organization and/or Attribute Authority asserts for the end users, for controlling access to the protected services/resources.

-      Offers service that requires end users to contact their own idP which provide the SP with the authentication results and the required attribute(s) for the determination of access rights to its offered resources.

-      The credentials (username and password) are never passed to the SP



Setting up the Trust frameworks for Access Federation

In order to establish trusts in the Access Federation, idP and SP must follow the corresponding federation policy and standards before applying for the memberships.  For example, the idP must follow and comply with idP management standard, the idP assurance profile, etc.  On the other hand, the SP must follow the SP management standard, data protection profile, etc. For details, please refer to the compliance document of the HKAF at the following URL:
Based on the diagram in figure 2 above, a brief overview of the “trust setup in HKAF” is shown in the diagram below.
                                         Figure 3.  Trust Setup among HKAF members and Workflow for Resources request under the HKAF


Workflow for student (user H) of CityU requesting for resource R in UniversityY provided by Service Provider (SP) M

Step 1 – User H (from CityU) accesses Resource R provided by SP M in University Y

Step 2 – SP M (at University Y) generates an authenticated request which is sent to the CityU’s idP via user's browser

Step 3 - idP at CityU authenticates the user request and sends the response together with attribute(s), if any, back to SP M in University Y, via user H’s browser session with proper consent workflow

Step 4 - SP M in University Y verifies the idP Response and checks against the resource profile.  The requested resource in University Y will be sent to user H if the resource profile permits the access 

The next step – EduGain

Having setup the Access Federation for education and research institutions in Hong Kong, we can access resources via supported applications in other HKAF members.   This is great but there is still a lot of resources globally.  Are there any Access Federations that achieve the same objectives as the HKAF but of a worldwide scope?

The answer is EduGain.

EduGain is an inter-federation that connects identity federations around the world.  It was developed and operated by the European GÉANT project and is one of the first and currently the largest global inter-federation service in operation. 

Its objective is to simplify the access to content, services and resources for the global research and education community by using a common set of technical standards, rules and policies that allow services and organisations from different countries to provide and use (Authentication & Authorization Infrastructure) AAI-enabled services across the boundaries of an identity federation.

The HKAF has become the 54th member of EduGain in Oct 2017, which means that members of the HKAF are capable of accessing the resources provided by over 50 federation members with 5,000 Identity and Service Providers worldwide.  This allows HKAF members to access many resources such as journals, research data, e-learning materials and courses provided by education institutions all over the world.

For details on EduGain and a quick overview of Access Federation, it is strongly recommended that you watch the video

With the establishment and connection to the HKAF and EduGain, members of the HKAF can use their institutional credentials to seamlessly access a wide range of services and resources provided by education institutions all over the world in a controlled and trusted setup.

At the same time, the services or applications developed by members of the HKAF can also be accessed by other EduGain members.  The growth in user space can help improve the functional and user experience of the application.

To look forward, the CSC is working closely with Library and the e-Learning team to explore more applications which are useful to our students’ and colleagues’ daily work via the HKAF & EduGain network.