...
- The authentication of a user is carried out at their Identity Provider (IdP), using their specific authentication method. Earlier versions of this document used the term "home institution" to refer to the Identity Provider, but this term is considered deprecated.
- The authorisation decision allowing access to the network resources upon proper authentication is done by the owner of the visited network, also called the Service Provider (SP). Earlier versions of this document also used the deprecated term "visited institution", typically a WiFi hotspot (University campus, etc.).
In order to transport the authentication request of a user from the Service Provider to his Identity Provider and the authentication response back, a world-wide system of RADIUS servers is created. Typically every Identity Provider deploys a RADIUS server, which is connected to a local user database. This RADIUS server is connected to a central national RADIUS server, which is either in turn connected to an upstream (European/global) RADIUS server or can connect to other RADIUS servers dynamically (using the protocol RADIUS/TLS). Because users are using usernames of the format "user@realm", where realm is the IdP's DNS domain name often of the form institution.tld (tld=top-level domain; both country-code TLDs and generic TLDs are supported), the RADIUS servers can use this information to route the request to the appropriate next RADIUS server until the IdP is reached. An example of the RADIUS hierarchy is shown in Figure 2.1.
...