• Drive two factor towards ubiquity with low cost - create an eduToken (for the users that do not have a phone; critical mass can bring down the price even more. It can be implemented as a kickstarter campaign).

• Challenges in deploying multi-factor in EU, partially due to the costs and partially due to the cost involved. A cost-effective approach would help.
  

• An edu-token  as  a separate ‘token’ may reintroduce token management aspects (losing the token etc)

• management is (will be even more) a non issue as the majority of people will use phones. We should strike for that.

• Technically this problem can be solved, taking the above considerations into account.
  The real problem is how to scale the token vetting over EU. This is especially challenging for research collaborations.
  

The SAML Tracer (https://addons.mozilla.org/nl/firefox/addon/saml-tracer/) is a highly rated firefox plugin which was developed in our community (UNINETT, with contributions from others). As the browser is the central entity in any SAML transaction, it is extremely convenient tool for testing en debugging SAML transactions. There are not many alternatives to this tool

Unfortunately, Firefox has changed its plugin framework, rendering the existig plugin useless and a major rework is needed.

Money, a (junior) developer

Stefan Winter

Scott Koranda, LIGO

Nick Roy, InCommon

Thomas Lenggenhager, SWITCH:Feasibility to provide also a version for Safari compatible version? Thanks José Manuel, I now found the SAML Chrome Panel!

Pieter van der Meulen (SURFnet)

Michael Domingues (University of Iowa)

José Manuel, RedIRIS/SIR. Regarding Thomas question, there's a SAML Chome Panel extension for Chrome

Wolfgang Pempe, DFN

MIchael Brogan (University of Washington)

Nate Klingenstein (The California State University)

Marcus Mizushima (The California State University)

Andrew Morgan (Oregon State University)

David Bantz (U Alaska)

Brent Putman (Georgetown University, Shibboleth Developer Team)

Liam

The SAML Tracer (https://addons.mozilla.org/nl/firefox/addon/saml-tracer/) is a highly rated firefox plugin which was developed in our community (UNINETT, with contributions from others). As the browser is the central entity in any SAML transaction, it is extremely convenient tool for testing en debugging SAML transactions. There are not many alternatives to this tool

Unfortunately, Firefox has changed its plugin framework, rendering the existig plugin useless and a major rework is needed.

Money, a (junior) developer

Stefan Winter

Scott Koranda, LIGO

Nick Roy, InCommon

Thomas Lenggenhager, SWITCH:Feasibility to provide also a version for Safari compatible version? Thanks José Manuel, I now found the SAML Chrome Panel!

Pieter van der Meulen (SURFnet)

Michael Domingues (University of Iowa)

José Manuel, RedIRIS/SIR. Regarding Thomas question, there's a SAML Chome Panel extension for Chrome

Wolfgang Pempe, DFN

MIchael Brogan (University of Washington)

Nate Klingenstein (The California State University)

Marcus Mizushima (The California State University)

Andrew Morgan (Oregon State University)

David Bantz (U Alaska)

Brent Putman (Georgetown University, Shibboleth Developer Team)

Liam Hoekenga (University of Michigan)

Terry Smith (AAF)

Dalia Abraham (AAF)

Daniel Lutz (SWITCH)

Etienne Dysli Metref (SWITCH)

Martin Haase (DAASI)

Rod Widdowson (Steading System Software, Shibboleth Developer Team)

Allan West (University of Florida)

Dominique Petitpierre (University of Geneva)

Cédric BRINER (University of Geneva)

Eric Yurick (Gettysburg College)

Vlad Mencl (Tuakiri/REANNZ)

With eduroam Managed IdP, there is a service which takes all RADIUS hassle off of Identity Providers. There is no equivalent for eduroam SPs. I.e. a future eduroam SP either needs to set up a local RADIUS server and connect it to the NRO, or (if the NRO supports it) connect the Wireless Controller directly to an NRO server - losing all advanced features such as VLAN assignment. For small hotspots, there is a possible additional complication if the hotspot has a dynamic IP address, which makes the interconnection via RADIUS' shared secrets infeasible. Right now, such potential hotspots are not serviceable by eduroam infrastructure.

The goal of this activity is to create a self-service web portal where any prospect SP can register his hotspot (requiring sign-off by the NRO; comparable to eduroam Managed IdP) - regardless whether he has a static IP address, a dynamic one, or doesn't even know what an IP address is in the first place. The new hotspot's RADIUS connectivity is tested in real-time (e.g. using a credential from eduroam Managed IdP, a good complement to this service) and the new SP is instantly connected to the eduroam infrastructure. Where the NRO admin confirms that a particular hotspot maps to a specific realm or Managed IdP instance, the SP can even get VLAN ID assignments for his own users (that part of the use case is possibly a bit weak as an SP who does not know about setting up a RADIUS server likely also doesn't know about VLANs to begin with).

For the technicalities of the uplink itself, there should be support for multiple attachment anchors (=RADIUS servers behind the web interface) because geographical proximity to the hotspot is important for performance reasons.

The remaining complexity for the SP which this service will not take away is: phyiscal installation of APs, controllers, and the configuration of those so that they are providing proper local eduroam.

To ensure service quality on such "no clue" SPs, it could be made mandatory to install a probe at the site so eduroam Operations can monitor the hotspot quality.

VM for web interface, VMs for RADIUS attachment anchors, a clever idea how to handle registering hotspots with dynamic or unknown IPs

There were a multitude of reasons why the GÉANT community couldn't run the infrastructure for WIFI4EU.

Sufficient issues were exposed by managing this as a single centrailsed infrastructure (partially addressed by "get eduroam", "eduroam DEEP Learning", "eduroam SP-as-a-Service"). By identifying all the scaling blocks to existing eduroam services we'd be able to offer advice, guidance and technology push into govroam, WIFI4EU and eduroam services to support the existing infrastructure and development in new territories.

Georgi Tsochev, BREN

Reimer Karlsen-Masur, DFN-PKI

Great chance to accelerate the deployment of secure public Wi-Fi systems in the world and to inter-connect them. Related to my proposal of inter-roaming, but a separate work item dedicated to WiFi4EU is still preferred. (Hideaki Goto, NII)

Develop an inter-roaming architecture that connects various Roaming Consortia (RC) including eduroam, govroam, City Wi-Fi (secured), WiFi4EU, etc. to enable roaming, with or without Passpoint.

Make the deployment of off-campus eduroam/govroam services much easier. For example, eduroam accounts can be enabled on City Wi-Fi world-wide.

Contribute to the improvement of Hotspot 2.0 to make "eduroam on NGH" possible. (The current HS2.0 specifications and some implementations are known to have some issues hampering large RC creation.)

Contribute to the revisions of the WRIX specifications to make them as much compatible as possible with eduroam's. WRIX-i (interconnect) and WRIX-L (location) are the targets.

I would like to have a placeholder to include work that my be triggered by the revisited list of FIM4R requirements, as well as by AARC.  Furthermore, I'd also like to include in this box liaisons with EOSC hub concerning their T&I architecture developments and adoption/support of FIM technologies. This item cannot and should not be more specific than this at this point in time.

• Drive two factor towards ubiquity with low cost - create an eduToken (for the users that do not have a phone; critical mass can bring down the price even more. It can be implemented as a kickstarter campaign).

• Challenges in deploying multi-factor in EU, partially due to the costs and partially due to the cost involved. A cost-effective approach would help.
  

• An edu-token  as  a separate ‘token’ may reintroduce token management aspects (losing the token etc)

• management is (will be even more) a non issue as the majority of people will use phones. We should strike for that.

• Technically this problem can be solved, taking the above considerations into account.
  The real problem is how to scale the token vetting over EU. This is especially challenging for research collaborations.
  

isn't this the work being done in IoLR +REFEDS?

Some of it is - implementation in service contexts is not. It is expected any work in GEANT would do this, leaning on results from the above

With eduroam Managed IdP, there is a service which takes all RADIUS hassle off of Identity Providers. There is no equivalent for eduroam SPs. I.e. a future eduroam SP either needs to set up a local RADIUS server and connect it to the NRO, or (if the NRO supports it) connect the Wireless Controller directly to an NRO server - losing all advanced features such as VLAN assignment. For small hotspots, there is a possible additional complication if the hotspot has a dynamic IP address, which makes the interconnection via RADIUS' shared secrets infeasible. Right now, such potential hotspots are not serviceable by eduroam infrastructure.

The goal of this activity is to create a self-service web portal where any prospect SP can register his hotspot (requiring sign-off by the NRO; comparable to eduroam Managed IdP) - regardless whether he has a static IP address, a dynamic one, or doesn't even know what an IP address is in the first place. The new hotspot's RADIUS connectivity is tested in real-time (e.g. using a credential from eduroam Managed IdP, a good complement to this service) and the new SP is instantly connected to the eduroam infrastructure. Where the NRO admin confirms that a particular hotspot maps to a specific realm or Managed IdP instance, the SP can even get VLAN ID assignments for his own users (that part of the use case is possibly a bit weak as an SP who does not know about setting up a RADIUS server likely also doesn't know about VLANs to begin with).

For the technicalities of the uplink itself, there should be support for multiple attachment anchors (=RADIUS servers behind the web interface) because geographical proximity to the hotspot is important for performance reasons.

The remaining complexity for the SP which this service will not take away is: phyiscal installation of APs, controllers, and the configuration of those so that they are providing proper local eduroam.

To ensure service quality on such "no clue" SPs, it could be made mandatory to install a probe at the site so eduroam Operations can monitor the hotspot quality.

VM for web interface, VMs for RADIUS attachment anchors, a clever idea how to handle registering hotspots with dynamic or unknown IPs

There were a multitude of reasons why the GÉANT community couldn't run the infrastructure for WIFI4EU.

Sufficient issues were exposed by managing this as a single centrailsed infrastructure (partially addressed by "get eduroam", "eduroam DEEP Learning", "eduroam SP-as-a-Service"). By identifying all the scaling blocks to existing eduroam services we'd be able to offer advice, guidance and technology push into govroam, WIFI4EU and eduroam services to support the existing infrastructure and development in new territories.

Georgi Tsochev, BREN

Reimer Karlsen-Masur, DFN-PKI

Great chance to accelerate the deployment of secure public Wi-Fi systems in the world and to inter-connect them. Related to my proposal of inter-roaming, but a separate work item dedicated to WiFi4EU is still preferred. (Hideaki Goto, NII)

Develop an inter-roaming architecture that connects various Roaming Consortia (RC) including eduroam, govroam, City Wi-Fi (secured), WiFi4EU, etc. to enable roaming, with or without Passpoint.

Make the deployment of off-campus eduroam/govroam services much easier. For example, eduroam accounts can be enabled on City Wi-Fi world-wide.

Contribute to the improvement of Hotspot 2.0 to make "eduroam on NGH" possible. (The current HS2.0 specifications and some implementations are known to have some issues hampering large RC creation.)

Contribute to the revisions of the WRIX specifications to make them as much compatible as possible with eduroam's. WRIX-i (interconnect) and WRIX-L (location) are the targets.

Let's Encrypt and the certbot have made certificate management for 1 particular CA very easy and effective. With the addition of ACME v2 this will allow additional CAs to participate and allow the dev/test/production environments to automatically deal with certificates.

Work should also investigate eduPKI and Let'sRADSEC use of this mechanism for certificate maintenance.

TechEx 2016 ACAMP notes: https://docs.google.com/document/d/1o20NmuLjmNySp10QqfueO3of6jmoeTRfmgG4e_olZ_s/edit

Georgi Tsochev, BREN

Rhys Smith, UKf: Certbot is going to take over the world, so we should start doing stuff with it.

Reimer Karlsen-Masur, DFN-PKI

• Standardization
• SAML stack development

While for IdPs and SPs eduGAIN metadata requirements are well described, no such requirements exist for AAs. We have however already 5 of these entities in eduGAIN.

It would also be a good idea to consider/define what it would mean for an AA to claim CoCo, R&S and Sirtifi support

• Standardization
• Probably a no-brainer as much can likely be derived from IdP requirements (?)

Constantin Sclifos, RENAM

Nick Roy, InCommon

SURFnet

Rhys Smith, UKf: I think AAs will become more important as we move forward, and there is a gap here in policy that needs thinking about.

Wolfgang Pempe, DFN