geteduroam assists eduroam organisations and users with easy and secure onboarding of eduroam clients by delivering Apps or configuration profiles. With eduroam CAT (configuration assistant tool) as the go-to place for eduroam profile management, geteduroam displays the same list of options in Apps, simplifying onboarding.
Users typically use eduroam with a username and password, but without assistance users may misconfigure the mutual authentication, opening a risk for a Man-in-the-Middle attack to the users’ credentials. The geteduroam Apps and eduroam CAT profiles make sure these settings are correct.
In addition to configuring regular eduroam accounts, geteduroam has the ability to create pseudo-accounts via (web) federated authentication. These pseudo-accounts remove all credential attack vectors, since the authentication purely relies on mutual certificate-based authentication. Using this as a hosted service, it also simplifies the authentication infrastructure required for eduroam significantly. This part of geteduroam can be seen and deployed as “eduroam RADIUS IdP as a service”, but also run at the IdP directly: it it designed to scale well.
National Roaming Operators (NRO)
The eduroam Roaming Operator has the ability to “opt-in” for its organisations for the use of eduroam CAT. Any institution granted access to eduroam CAT has the ability to use CAT and geteduroam Apps for client onboarding.
It is up to the NRO to also facilitate users with a pseudo-account workflow, and offer “eduroam RADIUS IdP as a service” functionality when an Identity Provider opts-in for such a service. Any IdP could build such a service by themselves.
The pseudo-account service can be installed on institution level, NRO level, or an international service from the eduroam Operational Team can be used. At this point in time this is a trial service, for which we define the best practises for its configuration as we go along.
Identity Providers (institutions)
If you are an identity provider and interested in using eduroam CAT and geteduroam Apps, or the geteduroam pseudo-accounts in particular: contact your eduroam National Roaming Operator. With the right skillset, you can also implement a local geteduroam pseudo-account server, but your NRO may be able to assist you as well.
CAT pseudo-account profile configuration
In order to create a CAT profile that supports pseudo-accounts, all you need is a profile that is "production enabled", and has a redirect location set to a particular URL. This URL comes from your own deployment of a geteduroam pseudo-account server, or from the NRO/centralized services. See https://www.geteduroam.app for more resources.