Hi,
That is correct. This is due to that eduPersonEntitlement is not suitable for security reasons to be released without specific entitlement entityId validation.
Pål
Från: Hildegunn Vada hildegunn.vada@sikt.no Skickat: den 18 november 2025 10:54 Till: Pål Axelsson pax@sunet.se; Jan Meijer via Identity-talks identity-talks@lists.nordu.net Ämne: Sv: Problems with Harica
Hi Pål,
thank you for answering. I will take this further to Nicole Harris.
Just a question - does this mean that Sunet/Swamid has instruction all members in Swamid to do a manual configuration of automatic realease of expected attributes?
Hilsen Hildegunn
________________________________ Fra: Pål Axelsson <pax@sunet.semailto:pax@sunet.se> Sendt: tirsdag 18. november 2025 10:50 Til: Hildegunn Vada <hildegunn.vada@sikt.nomailto:hildegunn.vada@sikt.no>; Jan Meijer via Identity-talks <identity-talks@lists.nordu.netmailto:identity-talks@lists.nordu.net> Emne: Sv: Problems with Harica
Hi,
Have you sent this to Nicole Harris? Based on that personal certificates also requires an eduPersonEntitlement we've instructed all our members to do a manual configuration of automatic release of expected attributes.
Pål
Från: Hildegunn Vada via Identity-talks <identity-talks@lists.nordu.netmailto:identity-talks@lists.nordu.net> Skickat: den 14 november 2025 14:44 Till: Jan Meijer via Identity-talks <identity-talks@lists.nordu.netmailto:identity-talks@lists.nordu.net> Ämne: [Identity-talks] Problems with Harica
Hi everyone,
I'm looking for input on how we can better handle the following situation:
IGTF Personal Certificates are used for user authentication in collaborations between CERN and Norwegian universities. To enable certificate issuance, Identity Providers in eduGAIN must release certain attributes-most importantly, eduPersonPrincipalName, which GEANT requires for IGTF Personal Certificates [1].
However, HARICA does not currently require this attribute, and Feide cannot release attributes that are not explicitly required. As a result, Sikt is unable to provide IGTF Personal Certificates to our customers.
The latest update we received from HARICA (on September 19) was: "This change is already in our plans, but we are also looking to introduce the 'subject-ID' attribute, which appears to be the optimal one for identity mapping. We are discussing internally how to prioritize this over other requested features."
For now, we are implementing a workaround for Norwegian universities, but it's disappointing that a certificate provider operating under a GEANT contract does not already support this.
How can we apply more pressure on HARICA to prioritize this change?
[1] https://wiki.geant.org/pages/viewpage.action?spaceKey=TCSNT&title=TCS+20...
Thanks for any ideas-and wishing you all a great weekend ahead!
Hildegunn