Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This page contains service description outlining how and where service should be used, targeted users, service delivery model and service elements and topology.

RESPONSIBLE: Information provided in this page is initially populated by the development team (during the transition phase), and revised based on the need or in a yearly service check by eduroam Managed IdP Service Manager, with exception of CBA which remains the responsibility of business development team.

Service description

periodically.

Service description

eduroam Managed IdP enables eligible institutions to outsource the technical setup of eduroam IdP functions to the eduroam Operations Team. eduroam IdP administrators use the service instead of a local authentication infrastructure and identity management. The service includes:

  • web-based user management interface where user accounts and access credentials can be created and revoked;
  • web-based institution management interface where institutions are enabled or disabled to use the service;
  • technical infrastructure ("CA") which issues and revokes end users' access credentials;
  • technical infrastructure ("RADIUS") which verifies end users' access credentials and subsequently grants access to eduroam.

The non-technical aspects of an eduroam IdP remain in the responsibility of the eduroam IdP administrator, and are subject to the eduroam Service Definition.Product Description on the eduroam wiki space

Users

eduroam Managed IdP is a multi-level multi-tenant system with several stakeholder groups:

eduroam National Roaming Operator (NRO) administrators

eduroam NRO administrators recruit

...

R&E institutions in their NRO region. They offer

...

eduroam Managed IdP to these institutions, and

...

enable them to use the service using the NRO's web-based institution management interface. The service offers multi-tenancy on this level

...

, meaning that each NRO has its own compartment in the system - an NRO administrator only sees his own institutions, and can manage his own NRO's properties and subscription. The number of NRO-level tenants is limited by the number of DNS country-code top-level domains on the planet. I.e. there is no discrimination between GEANT partner NRENs and other NROs.

The system is designed for 10.000 active end users per NRO. Usage up to that level is free of charge for every NRO; usage levels which go significantly beyond that are subject to cost recovery or load sharing. The eduroam OT will get in touch with NROs should their active end user count significantly exceed 10.000.

eduroam

...

institution administrators (IdPs)

eduroam IdPs sign up , once invited by their NRO, enroll to the system service to provision, modify and remove individual users from eduroam. They do this entirely on a non-technical level using a web interface, and are spared from all technical details usually associated with being an eduroam IdP.

MultiThe service also provides multi-tenancy on this level means , here meaning that the IdP admin has his own compartment for his organisation in the system - he only sees his own institution, and can manage only his own institution's properties and users. The number of users he that can manage be managed is limited by his the NRO admin (or, failing an explicit setting by the NRO admin, there is a configurable default of 200 as fallback in the system). The limitation in terms of number of users is arbitrarily chosen and can be modified during deployment time.

...

eduroam users get an eduroam account simply by redeeming invitation tokens which were previously generated by their IdP admin. With that account, they use eduroam for as long a time as the administrator has sanctioned the use. The users can view and manage their account status at all times. Multi-tenancy on this level means that the user only ever sees his own eduroam account and associated credentials.

Contacts

 

Service
ManagerDeputy Service
OwnerDevelopment Team Lead
Manager
L1 supportL2 supportL3 support
 
Miroslav Milinović
  
 Stefan Winter

eduroam IdPs are required to enter helpdesk details for their tenancy level. This is the L1 support for their end users; all questions about account expiry, revocation of login permissions etc. is handled inside the IdP.

eduroam NROs are providing the L1 support to the eduroam IdPs.

help@eduroam.org is first level contact provided by GEANT, and primarily targeting end users. NROs participating in eduroam Managed IdP are encouraged to subscribe to cat-users@lists.geant.org as a more direct channel to the development team.

In case of technical problems with the service itself, a "Message of the Day" (MOTD) is displayed on the web interface front page, immediately visible to both end users and administrators.

 
eduroam-ot@lists.geant.orgeduroam OT has direct links to development team

Service delivery model

Add explanation about organisation of service deliveryThe service is delivered as a multi-level, multi-tenancy service as described above in "Users". It consists of a web service with ancillary systems in the background as described in the beginning of this page.

Service Elements

Service Elements, with brief description and links to products, resource instances and software stack of the service, indicating the software components types - if they are internally (in-house) developed, OSS or commercial off-the-shelf softwareService elements can be grouped in two following categories:

Technology infrastructure

Add The list and description of products and resources used to deliver main functionalities of the service. Add service technical architecture - i.e. its good to have a conceptual architectural diagram and topology diagramof technology in use is here.

Supporting infrastructure

Add list and descriptions of products and resources used to deliver supporting services such as specialized monitoring and measuring systems, configuration management system, issue/ticket reporting system, etc.)Users (NROs, IdPs, endusers) of eduroam Managed IdP use the same supporting infrastructure that is being used by the respective user categories which do not use eduroam managed IdP. In addition users (NROs, IdPs, endusers) of eduroam Managed IdP are provided with technical support  (see: Contact above) for the specific elements of  eduroam Managed IdP service (according to user category they belong to).

Cost Benefit Analysis

...

CBA Document, Payback Schedule