Hong Kong Access Federation Single Sign On (SSO)

Hong Kong Access Federation (HKAF) is Hong Kong’s leading identity broker. HKAF enables access to online resources for the Education and Research sector. The HKAF has facilitated trusted electronic communications and collaboration between education and research institutions, locally and internationally.

Users are able to access federation services using a single user account and password. Affiliated users can employ the user IDs assigned to them by their home universities to access and use numerous services instead of having to maintain and use different accounts.

miniOrange providers Single Sign On solution with Hong Kong Access Federation on your Wordpress site. Using this, your site can be integrated with Hong Kong Access Federation and your users will be able to access your site using their HKAF registered institution's credentials.

How miniOrange SAML 2.0 Single Sign-On Plugin works with Hong Kong Access Federation ?
haka federation sso architecture diagram
Our Plugin works in this way:
  1. First, the user clicks on Login with HKAF button. This will redirect them to HKAF's discovery service, using which the users can select their home institutions.
  2. The discovery service sends some information to the plugin (This info is used by the plugin to identify which Institution was selected by the user).
  3. The plugin creates a SAML Authentication request and sends it to the Identity Provider associated with the selected institution.
  4. The user can see their institution's login page. After successful authentication with their institution, the user gets redirected and logged in to the Wordpress website.

Pre-Requisites:

  • In the my.cnf/my.ini file of your server, increase the max_allowed_packet value such that it would be more than the size of the metadata file. (Since the HKAF IDP-only metadata file is of 44M, you can set the max_allowed_packet value to 50M)
  • For large metadata files(greater than 2M), use the metadata URL. File upload for large files won’t work.

Configure the plugin

  • After activating the plugin with your license key, go to the Service Provider Setup tab.
  • Click on Upload Multiple IDPs button to upload multiple IDPs from a single metadata file.
  • Upload Multiple IDPs
  • You can choose either a file or URL to upload the metadata.
  • NOTE: For large files, use the metadata URL. For updating the HKAF metadata file, copy the following link in the Enter Metadata URL text box and click on Fetch Metadata button. Download the metadata from here.

    hong kong metadata url
  • For large metadata files, the upload process may take some time. After successful completion of the upload process, you should be able to see all the IDPs listed.
  • hkaf federation IDPs listed

Configure the HKAF Federation

  • You need to provide the miniorange entityID to the HKAF discovery service so that the discovery service can recognize the requests coming from the miniOrange plugin. The entityID for the miniOrange plugin can be found in the Service Provider Metadata tab of the plugin.
  • hong kong federation sp entity id
  • You can provide the SP metadata to the HKAF discovery service which can be downloaded from the metadata URL given in Service Provider Metadata tab.
  • SP metadata to the hong kong federation discovery service
  • After this, your users will be able to login to your site with their respective universities using the miniOrange plugin.

Attribute / Role Mapping

  • Using the Attribute/Role Mapping tab, you can assign different roles to different users and also map their attributes received from the IDP.
  • You can configure IDP specific mapping as well as IDP-wide mapping using the Default Mapping option.
  • hong kong access federation sso attribute mapping hong kong access federation sso role mapping

Hong Kong Access Federation - SSO Authentication Flow

  • After configuring the plugin, you should see the Login with Hong Kong Access Federation button on the WordPress login page. Click on this button to redirect to the HKAF discovery service.
  • sso hkaf federation
  • From the HKAF discovery service, select your home institution and click on next button.
  • hong kong acess federation sso
  • You will be redirected to the selected institution's login page for authentication.
  • After successful authentication, you will be redirected and logged in to the wordpress site.

Related Articles

WordPress SAML Plugin
Hong Kong Access Federation
Hong Kong Access Discovery Service

Free Trial

If you don't find what you are looking for, please contact us at info@miniorange.com or call us at +1 978 658 9387 to find an answer to your question about Hong Kong Access Federation.