| Table of Contents | ||
|---|---|---|
|
Terms of use
eduroam IdP administrators are bound by the requirements as set forth in the eduroam Service Definition. The specific service eduroam Managed IdP needs some additional terms on top of that baseline.
These terms and conditions are displayed and need to be acknowledged by eduroam Managed IdP administrator before they can start using the system (pop-up with sign-off requirement):
As an eduroam IdP administrator using this system, you are authorized to create user accounts according to your local institution policy. You are fully responsible for the accounts you issue. In particular, you:
Failure to comply with these requirements may lead to the deletion of your IdP |
...
(and all the users you create inside) in this system. With this product, eduroam Operations is not interested in and strives not to collect any personally identifiable information about the end users you create. To that end:
|
eduroam end users are being presented a lightweight terms of use by the time they visit the download page for eduroam installers. Downloading the installer in question is deemed acceptance of those terms:
You can now download a personalised eduroam® installation program.The installation program is strictly personal, to be used only on this device (device identifier, such as "Linux"), and it is not permitted to share this information with anyone. When the system detects abuse such as sharing login data with others, all access rights for you will be revoked and you may be sanctioned by your local eduroam® administrator. |
Purpose and scope
eduroam Managed IdP's purpose is to support you, an eduroam Identity Provider administrator, by allowing you to manage your eduroam end user base through a simple web interface, without a need for local technical infrastructure such as RADIUS servers or an identity management system. The system includes
- a web-based user management interface where user accounts and access credentials can be created and revoked (there is a limit to the number of active users)
- a technical infrastructure ("CA") which issues and revokes credentials
- a technical infrastructure ("RADIUS") which verifies access credentials and subsequently grants access to eduroam
eduroam Managed IdP takes your input regarding who your users are, and produces vouchers ("invitation tokens") which you can hand out to those users. They can then redeem those invitation tokens for a customised, personal eduroam installer for their computer or device. The customisation includes your IdP's name, location and logo, contact details for your helpdesk, and a user access credential in the form of a "client certificate" - don't worry if you do not know what that is. The installers can be produced in many languages; that way, you can even offer your users an installer in their native language!
...
- Microsoft products:http://windows.microsoft.com/en-us/windows/lifecycle
(next to go away: Windows Vista on April 11, 2017) - Apple products: https://support.apple.com/en-gb/HT201624(next to go away, estimated: iPad - 1st gen (2016?), iPod touch - 3rd gen (2018?), iPhone - 4 (20XX?)
Scope
eduroam Managed IdP is not replacing your helpdesk! While we hope to do you a good service by taking the technical task of user account management and network admission checks into our hands, we can not take your users' phone calls or tell them how to fix problems on their computers. eduroam Managed IdP installers work on the supported platforms if these have not been modified beyond reason by the end-user, and we hope the installation process with them is intuitive enough; but we can not give you guarantees that you will not ever hear from failing users again.
...
There are basically two groups of information which we need to ask of you before we can provide you with your eduroam Managed IdP profile:
* general information about your institution (e.g. logo, approximate location, name)
* helpdesk contact details (mail, phone, web)
...
You can configure both the general information and the helpdesk details from this page.
General Information
Helpdesk Contact Details
Managing my users
On the institution dashboard page, you see the most important pieces of data that you have entered.
There is a button to create a new Managed IdP profile at the bottom. If you followed the wizard, it has already done that for you and you see an info card "Managed IdP" instead. It has a button labelled "Manage User Base".
The buttons take you to your user management page.
There is only one screen from which new user accounts can be created or imported, credentials can be assigned, and existing credentials and users can be decommissioned.
Adding Users
There are two workflows for adding new users:
- Manual: on the bottom of the page, there is an input box for a new username and the desired expiry date for that user. Filling in both and then clicking "Add new user" will create the new user instantly.
- CSV import: for a bulk import of many users, there is a grey box: "Import users from CSV file" near the top of the page. The format of the CSV file is:
Comma separated values in should be provided in CSV file: username, expiration date in the form yyyy-mm-dd, number of tokens (optional):
Issuing access credentials
Once a user is created, it is displayed on the page along with Delete and New Credential buttons. Clicking on "New Credential" creates an invitation URL. The URL is then displayed on the administration page. It is up to the administrator how to get that URL to the user in question. We expect this to happen usually over email; alternatives include allowing to send an email directly from the interface and allowing text messaging.
Invitation links are valid for one week from issuance, for the generation of a single access credential. The validity for the pickup by the end user is displayed to the right of the invitation link. Invitation links can be revoked by clicking the corresponding button on the right.
Credential revocation and Deadman Switch
Once a credential has been picked up by the end user, the corresponding certificate details are displayed instead of the invitation link. The "Revoke" button, if pushed, then revokes the already issued access credential and makes the login with it unusable. We strive towards a delay of less than one minute between push of the Revoke button and actual discontinuation of service for the end user.
When a user gets deleted, all his credentials automatically get revoked instantly.
WARNING: there is a "deadman switch" safeguard against unmaintained accounts. An IdP administrator may forget about his duties to maintain a current and accurate user list in the system, or the IdP administrator may leave the organisation with noone realising that stale accounts are still active. The safeguard is: the IdP admin must log into the system regularly and declare that he is still active and that all users which are currently active in the system continue to be eligible for eduroam. Failure to acknowledge this with the push of the corresponding button deletes all users and thus revokes all access credentials.
The system currently requires the re-validation once per year. Users which were not re-validated within the last 47 weeks are shown in yellow; users which were not re-validated within the last 50 weeks are displayed in red.
End-User Enrollment
Upon visiting the invitation link, there is only a single download button along with basic instructions. The operating system is auto-detected. When redeeming the invitation token that you sent your users they will see:
The installation program is a CAT installer like usual, with the addition of a client certificate which is protected by the import password that is displayed on the screen. The addition of the import password provides a basic safeguard against credential sharing. Other safeguards (which could replace this UI-intensive step) such as maximum amount of MAC addresses are under consideration. Please report how well the import password method works for your users.
The installer sets up everything. The user should not need to interact with his operating system at all (at least, not any more than with other eduroam accounts).
Installer visibility on the user download page
...
A full access WEB API makes it possible to remote-control many aspects of the product. The corresponding documentation is maintained in the NRO documentation.
Getting Help with eduroam Managed IdP
If you have any questions about the eduroam Managed IdP website, please contact your eduroam National Roaming Operator first. They can escalate questions to the development team if need be. If you have questions about the underlying software, don't hesitate to ask on the mailing list cat-users@lists.geant.org . If possible, please subscribe to the list before posting; this guarantees that you'll get replies even if someone forgets a "reply to all", and also ensures that your post doesn't accidently get classified as spam and discarded.
Inputs from External Testing
- Android support is paramount
The product is much less useful without Android support due to the very high market share of Android devices. Work is ongoing to secure a development contract to retrofit the required capabilities to the eduroam CAT Android app. - Proper support for UDP fragmentation required
Some testers reported problems with Windows 10 devices (but not on other OSes). Windows does not limit the size of its EAP fragments while other supplicants do; so to make Windows machines authenticate, the entire RADIUS path (including SP network) needs to be able to handle UDP fragmentation. - Small bugs
- Windows installer shows "EMAIL / WWW support" text even if not configured by the admin. Notified TW.