geteduroam assists eduroam organisations and users with easy and secure onboarding of eduroam clients by delivering Apps or configuration profiles. With eduroam CAT (configuration assistant tool) as the go-to place for eduroam profile management, geteduroam displays the same list of options in Apps, simplifying onboarding.
Users typically use eduroam with a username and password, but without assistance users may misconfigure the mutual authentication, opening a risk for a Man-in-the-Middle attack to the users’ credentials. The geteduroam Apps and eduroam CAT profiles make sure these settings are correct.
geteduroam pseudo-accounts
In addition to configuring regular eduroam accounts, geteduroam has the ability to create pseudo-accounts via (web) federated authentication. These pseudo-accounts remove all credential attack vectors, since the authentication purely relies on mutual certificate-based authentication. Using this as a hosted service, it also simplifies the authentication infrastructure required for eduroam significantly. This part of geteduroam can be seen and deployed as “eduroam RADIUS IdP as a service”, but also run at the IdP directly: it it designed to scale well.
National Roaming Operators (NRO)
The eduroam Roaming Operator has the ability to “opt-in” for its organisations for the use of eduroam CAT. Any institution granted access to eduroam CAT has the ability to use CAT and geteduroam Apps for client onboarding.
It is up to the NRO to also facilitate users with a pseudo-account workflow, and offer “eduroam RADIUS IdP as a service” functionality when an Identity Provider opts-in for such a service. Any IdP could build such a service by themselves.
The pseudo-account service can be installed on institution level, NRO level, or an international service from the eduroam Operational Team can be used. At this point in time this is a trial service, for which we define the best practises for its configuration as we go along.
Identity Providers (institutions)
If you are an identity provider and interested in using eduroam CAT and geteduroam Apps, or the geteduroam pseudo-accounts in particular: contact your eduroam National Roaming Operator. With the right skillset, you can also implement a local geteduroam pseudo-account server, but your NRO may be able to assist you as well.
CAT pseudo-account profile configuration
In order to create a CAT profile that supports pseudo-accounts, all you need is a profile that is "production enabled", and has a redirect location set to a particular URL. This URL comes from your own deployment of a geteduroam pseudo-account server, or from the NRO/centralized services. See https://www.geteduroam.app for more resources.
geteduroam pilot services from eduroam OT
A centralised pseudo-account service is proposed, managed by the eduroam Operational Team and connected to eduGAIN. This service can be used as opt-in from NROs and offered to their IdPs. It may be attractive to institutions with Cloud IdM solutions like the Azure AD, or institutions that find it hard to set up a RADIUS infrastructure.
The functionality sits somewhere in between eduroam CAT and the eduroam Managed IdP. CAT solely provides profiles to do proper configuration with credentials users already have. The Managed IdP gives out credentials to users that have no federated Identity Management. Managed IdP profiles can be consumed by both the eduroam CAT App or the geteduroam App. The geteduroam pseudo-accounts are issued after (web) federated authentication, with the keys created and managed inside the Apps. The RADIUS authentication is similar to the Managed IdP, and can be scaled out well or even delegated to institutions themselves.
Part of a geteduroam pseudo-account trial hosted by the eduroam OT is defining the best practises for connecting institutions to a centralised service and making this scale well. It may require additional settings (like the eduGAIN entityID, an explicit NRO opt-in) which may be input for development of the eduroam CAT services.
roadmap
| When | What |
|---|---|
| Q4 2020 | Pilot offered to eduroam SG, for NROs, institutions |
| Q1 2021 | Evaluation of onboarded institutions, to work on improved onboarding experience |
| Q2 2021 | Implementation of onboarding improvements via eg. CAT |
| Q3 2021 | geteduroam in production as extension of functionality for MIdP and CAT |
* Note that geteduroam as a product has its own roadmap, this is about the service from OT
1 Comment
Marina Adomeit
I know I could add comments inline with text, but I can't find it now. Anyhow, I add them here and hope they are clear.
I think it would be nice to write a chapter about how managed eduroam IdP and its integration with geteduroam fit together- i.e Managed eduroam IdP still being the option for institutions that have no existing IdM, and geteduroam addition to enable institutions with existing IdM and SAML IdP to make use of that while delegating other functions related to eduroam. My understanding is that such institution SAML IdPs dont need to be part or federation or eduGAIN, so perhaps clarify that as well. It would be nice also to see what is the arhchitecture of the pilot - my understanding is that RADIUS and CA built for the Managed eduroam IdP would be reused.
And finally - I think important for the pilot is to use it to come up with idea how this fits into existing eduroam supporting tools and how it is presented to the NROs and Institutions. My initial thought is that this can become another option in the managed eduroam IdP, so that institutions that have SAML IdP can make use of that instead of provisioning user accounts in managed eduroam IdP. All of this needs to be nicely modelled in the UI.