eduroam Managed Id P NRO Webinar Stefan Winter

eduroam Managed Id. P NRO Webinar Stefan Winter eduroam Development @GN 4 -3 R&D Engineer, RESTENA Foundation, Luxembourg www. geant. org

What is eduroam Managed Id. P and who is it for? • Becoming an eduroam Id. P is somewhat involved on the technical level • Users have to be managed in electronic repository (e. g. Active. Directory) • RADIUS Server needs to get connected to both that identity repository and the eduroaming fabric • Protocol specificities need to be known and implemented • Regular maintenance, updates, etc. • For smaller organisations (say < 200 persons) the costs of implementing eduroam and maintaining the authentication systems can be excessive and beyond the resources of their internal IT teams. • eduroam Managed Id. P offers these organisations a quick, safe and costeffective way to offer eduroam www. geant. org

eduroam Managed Id. P Cloud based institutional eduroam Id. P infrastructure Secure and Managed by experts from eduroam Operations Team High availability, professionally managed central infrastructure Controlled by the institution from a web browser www. geant. org

A Word on Technology • System is based on EAP-TLS (“client certificates”) – best available technology for user credentials • There is no password anywhere! • The necessary Certification Authority infrastructure is built with scale and partitionability in mind. • RADIUS servers are configured according to all the best-practices in eduroam Service Definition. • Privacy is assured as best as possible with double-blinded pseudonymisation, and no real names known to the system at any time. • . www. geant. org 4

eduroam Managed Id. P – Role of NRO • National Roaming Operators take the usual “facilitator” role • Identify and recruit organisations that benefit from it • Authorise access for future Id. Ps to Managed Id. P web interface • Assist as a first level in case of problems • Important: nothing happens without the NRO’s permission • NRO personnel have dedicated control panel • Configure properties of NRO in Managed Id. P • Authorisation control for Id. Ps • Statistics for NRO service region www. geant. org

eduroam Managed Id. P – NRO Deployment Options • NRO chooses how much of the system to leave in GÉANT Operations • Four levels • Entire system is hosted at GÉANT (default) • Happy to accommodate up to 10. 000 end users per NRO • UI and Certification Authority is hosted at GÉANT, end user authentication is handled locally • (UI is hosted at GÉANT, Certification Authority and end user authentication are handled locally) • Self-Hosted – GÉANT provides source code and installation help only (https: //github. com/GEANT/CAT) www. geant. org

Registration Procedure • Sign-Up • Configuring Managed Id. P NRO Properties www. geant. org 7

eduroam Managed Id. P – NRO Sign-Up • NRO personnel themselves need to be recognized as such • I. e. need to have account for eduroam Operations Support Systems with federation operator privilege https: //wiki. geant. org/display/H 2 eduroam/Access+to+eduroam+Operations+Support+Services • Many of you already have that! • eduroam CAT needs that same privilege to manage the NRO in there • Access to CAT => Access to Managed Id. P • Entry page: https: //hosted. eduroam. org www. geant. org

eduroam Managed Id. P – Entry Page www. geant. org

eduroam Managed Id. P – Configuring NRO Properties • Just like in CAT, there is a button • Just like in CAT, the basic properties of the NRO can be edited www. geant. org

eduroam Managed Id. P – Configuring NRO MId. P Properties • Most of these entries are not specific to Managed Id. P and identical to CAT • Only two Managed Id. P specific ones: • Managed Id. P: max users per profile • Purpose: Allows NRO to control how “big” Managed Id. P Organisations are allowed to grow • Default: 200 • Managed Id. P: do not terminate EAP • Purpose: Currently unused, controls if central instance is allowed to authenticate users for NROs which have local authenticator breakout • Default: Off • It is safe to leave both options at their defaults. www. geant. org

Onboarding a new Id. P • Communicating Managed Id. P features and limits • Issuing Invitations www. geant. org 12

eduroam Managed Id. P Features and limits • eduroam Managed Id. P takes burden of all technical operation of an Id. P away from the admin – but not administrative aspects • Institutions can: • • Create, change users Provision, revoke, expire credentials for users Access status information about user credentials Identify user in case of abuse • Institutions need to: • Manage decision-making on individual user eligibility • Accept liability for end user accounts created with this system www. geant. org 13

Issuing an Id. P Invitation • Exact same workflow as CAT www. geant. org 14

Issuing an Id. P Invitation • Invitation gets sent by E-Mail • Id. P administrators need to react within 24 h. • NRO can re-send after timeout if window missed. www. geant. org 15

Id. Ps - Logging into the system • When clicking on the link, Id. Ps need to authenticate to the system • Many (larger) educational institutions in Europe use the authentication and authorisation platform “edu. GAIN” • The small organisations very likely are NOT present there. For them, the tab “Social Networks” allows them to authenticate with typical popular web services such as Google, Linked. In, etc. www. geant. org 16

Id. Ps Using Managed Id. P • Id. P administrators use the same front-page link to log in • As NRO administrator, you can of course invite yourself and use the system in the Id. P role • Further details of how an Id. P administrator manages their own userbase etc. are covered in a dedicated webcast. https: //youtu. be/D 3 ba 889 Oqps www. geant. org 17