Hi,

Have you sent this to Nicole Harris? Based on that personal certificates also requires an eduPersonEntitlement we’ve instructed all our members to do a manual configuration of automatic release of expected attributes.

Pål

Från: Hildegunn Vada via Identity-talks <identity-talks@lists.nordu.net>
Skickat: den 14 november 2025 14:44
Till: Jan Meijer via Identity-talks <identity-talks@lists.nordu.net>
Ämne: [Identity-talks] Problems with Harica

Hi everyone,

I’m looking for input on how we can better handle the following situation:

IGTF Personal Certificates are used for user authentication in collaborations between CERN and Norwegian universities. To enable certificate issuance, Identity Providers in eduGAIN must release certain attributes—most importantly, eduPersonPrincipalName, which GEANT requires for IGTF Personal Certificates [1].

However, HARICA does not currently require this attribute, and Feide cannot release attributes that are not explicitly required. As a result, Sikt is unable to provide IGTF Personal Certificates to our customers.

The latest update we received from HARICA (on September 19) was:
"This change is already in our plans, but we are also looking to introduce the 'subject-ID' attribute, which appears to be the optimal one for identity mapping. We are discussing internally how to prioritize this over other requested features."

For now, we are implementing a workaround for Norwegian universities, but it’s disappointing that a certificate provider operating under a GEANT contract does not already support this.

How can we apply more pressure on HARICA to prioritize this change?

[1] https://wiki.geant.org/pages/viewpage.action?spaceKey=TCSNT&title=TCS+2025+FAQ#TCS2025FAQ-HowdoIorderanIGTFPersonal/PersonalAutomatedcertificate?

Thanks for any ideas—and wishing you all a great weekend ahead!

Hildegunn