geteduroam assists eduroam organisations and users with easy and secure onboarding of eduroam clients by delivering Apps or configuration profiles. With eduroam CAT (configuration assistant tool) as the go-to place for eduroam profile management, geteduroam displays the same list of options in Apps, simplifying onboarding.
Users typically use eduroam with a username and password, but without assistance users may misconfigure the mutual authentication, opening a risk for a Man-in-the-Middle attack to the users’ credentials. The geteduroam Apps and eduroam CAT profiles make sure these settings are correct.
geteduroam pseudo-accounts
In addition to configuring regular eduroam accounts, geteduroam has the ability to create pseudo-accounts via (web) federated authentication. These pseudo-accounts remove all credential attack vectors, since the authentication purely relies on mutual certificate-based authentication. Using this as a hosted service, it also simplifies the authentication infrastructure required for eduroam significantly. This part of geteduroam can be seen and deployed as “eduroam RADIUS IdP as a service”, but also run at the IdP directly: it it designed to scale well.
National Roaming Operators (NRO)
The eduroam Roaming Operator has the ability to “opt-in” for its organisations for the use of eduroam CAT. Any institution granted access to eduroam CAT has the ability to use CAT and geteduroam Apps for client onboarding.
It is up to the NRO to also facilitate users with a pseudo-account workflow, and offer “eduroam RADIUS IdP as a service” functionality when an Identity Provider opts-in for such a service. Any IdP could build such a service by themselves.
The pseudo-account service can be installed on institution level, NRO level, or an international service from the eduroam Operational Team can be used. At this point in time this is a trial service, for which we define the best practises for its configuration as we go along.
Identity Providers (institutions)
If you are an identity provider and interested in using eduroam CAT and geteduroam Apps, or the geteduroam pseudo-accounts in particular: contact your eduroam National Roaming Operator. With the right skillset, you can also implement a local geteduroam pseudo-account server, but your NRO may be able to assist you as well.
CAT pseudo-account profile configuration
In order to create a CAT profile that supports pseudo-accounts, all you need is a profile that is "production enabled", and has a redirect location set to a particular URL. This URL comes from your own deployment of a geteduroam pseudo-account server, or from the NRO/centralized services. See https://www.geteduroam.app for more resources.
geteduroam pilot services from eduroam OT
A centralised pseudo-account service is proposed, managed by the eduroam Operational Team and connected to eduGAIN. This service can be used as opt-in from NROs and offered to their IdPs. It may be attractive to institutions with Cloud IdM solutions like the Azure AD, or institutions that find it hard to set up a RADIUS infrastructure.
The functionality sits somewhere in between eduroam CAT and the eduroam Managed IdP. CAT solely provides profiles to do proper configuration with credentials users already have. The Managed IdP gives out credentials to users that have no federated Identity Management. Managed IdP profiles can be consumed by both the eduroam CAT App or the geteduroam App. The geteduroam pseudo-accounts are issued after (web) federated authentication, with the keys created and managed inside the Apps. The RADIUS authentication is similar to the Managed IdP, and can be scaled out well or even delegated to institutions themselves.
Part of a geteduroam pseudo-account trial hosted by the eduroam OT is defining the best practises for connecting institutions to a centralised service and making this scale well. It may require additional settings (like the eduGAIN entityID, an explicit NRO opt-in) which may be input for development of the eduroam CAT services.