Home - GLAD



Webinar “Managed IdPs Service for National Roaming Operators” – Q&A transcript20/11/19Q1: How does one identify end users in case of abuse?A1: Abuse is detected and reported by the eduroam Service Provider (SP) where the user was conducting the abuse. The SP sees the username in the second-level pseudonymisation (client certificate username) – opaquehash...@X-Y.<TLD>.hosted.. eduroam Operations can extract from that username thata) this is a eduroam Managed IdP userb) the user belongs to the NRO with the top-level domain <TLD>c) the IdP in question is the one with IdP identifier X and profile Y.With this information, the NRO of the corresponding country can find out which IdP administrator administers IdP identifier X and can contact that administrator.The IdP administrator has the full list of second-level pseudonyms (client certificate usernames) and the corresponding first-level pseudonym (username as chosen by the admin during user provisioning)With his knowledge about which first-level pseudonym maps to which individual in the organisation (external to the eduroam Managed IdP system), the actual human user is identified.Q2: Are there plans to improve the institutional admin facing documentation? Because it is quite sparse, and doesn't explain the user base management very well. In particular, it's proving complex for admins who're expecting usernames and passwords and have never encountered certificates as a means of authentication.A2: Yes. Since passwords were never a part of the system design, we currently do not discuss their absence. But as this lack of discussion has been flagged during the webinar, we will strive to explain why none are needed.Q3: Is there a way to register prettier realm for some IdP, than just numbers, like "75-70.<country>."? It would be good to have possibility to put some short acronym of IdP instead of just numbers. I think it would also help in identifying org in case of abuse. Maybe IdP administrator may even be allowed to choose between 1. automatic generation of some number-based name, or 2. input short acronym.A3: That is indeed possible, within certain technical limits. We take it as a feature request to enable IdP administrators to specify an acronym for their organisation to be used instead of the current integer identifier. Length is crucial here, as the total length of usernames in client certificates can not exceed 64 characters. A maximum of five characters for a custom IdP identifier should be possible.Q4: Can an organization use eduroam managed IdP for visitors? Or only for members of the organisation?A4: The service was primarily conceived for (the entirety of a) small organisation without other identity management, so that its members can get eduroam accounts. However, even large organisations with their own IdM and RADIUS server may face situations where a short-term visitor or supplier should get a short-term eduroam access without being introduced to the proper IdM system. From eduroam Operations side, nothing speaks against giving such a large organisation their own Managed IdP for such purposes. It is in the discretion of the NRO to decide whether they want to enable their established RADIUS-based IdP with an additional Managed IdP access.Q5: Do we have any limitations related to the supported operating systems?A5: eduroam Managed IdP uses the same technological foundation as its companion eduroam CAT. As such, the same operating systems as in eduroam CAT are supported. This currently includes all supported versions of Microsoft Windows, Apple devices (macOS, iOS, iPadOS), Android versions 4.3 and above, Linux and Google ChromeOS.Q6: Is there any possibility of G?ANT making a charge for use of this service by NROs at any time in the future (ie will it always be free)? And I guess the provision of this service is as guaranteed to be provided by G?ANT as CAT is (ie for as long as any of us can foresee!)A6: The intention is to keep the tool free to use just like all other eduroam Operations Support Services. The only possible limitation is when a single NRO encompasses more than 10.000 active end users in the system. When that threshold is surpassed, we will need to check back with the NRO how to share the associated system load and operation cost.Q7: Backend is FreeRADIUS, right? Where (in G?ANT/CAT?) can I see how it is configured. Curious about the EAP-TLS implementation part of the service.A7: A link to the GitHub reposity with the scripts that generate the FreeRADIUS configuration has been added to the webinar materials.Q8: Do the involved parties (G?ANT, NRO, IdP) need to sign a separate data processor & data controller agreements to be able to offer & use the described service?A8: The IdPs using the system are data controllers, while eduroam Managed IdP is a data processor for them. These roles are established during the mandatory “Accept Terms & Conditions” workflow that every future IdP has to go through before they can use the system.Q9: Is the fully G?ANT?hosted service available globally. In Australia there is at least one institution that wishes to use Managed IdP?A9: As with every other eduroam Operations Support Service, eduroam Managed IdP is available for all NROs world-wide.Q10: Well, this is good for organised small institutions with a domain and maybe an administrator but how about individual users/researchers/visitors with only their Gmail/Yahoo addresses but with no institutional email addresses but would like to use the service.A10: The domain of an end-user’s mail account is not important for the system; the link to the eduroam access credential (installer with client certificate) can be transmitted via arbitrary means, to arbitrary destinations. However, it is important that this person is part of the Research and Education community. That is not typically true for single individuals; individuals are typically part of a R&E organisation such as a school, university or research centre. Then the organisation becomes an IdP in the eduroam Managed IdP system, and issues the user account to the individual.Q11: Is there any constraint regarding attributes that might be delivered from SPs? Or any assumption about filtering e.g. NRO termination of Accounting Requests from SPs? If Framed-MTU is not set, I presume SPs can expect 'trouble', or is the IdP RADIUS server config very 'safe' to avoid oversized UDP packets?A11: The system was indeed designed to survive network conditions with broken UDP fragmentation settings or SPs filtering Framed-MTU. During the design phase, we chose Elliptic Curve cryptography keys for the client certificates, which are much smaller compared to RSA keys. By carefully counting bytes, we arrived at certificates which are way below 1500 Bytes, allowing for RADIUS protocol wrapping and some reserve for proxies adding more attributes. Fragmentation is thus avoided in almost all typical situations.Q12: What is the relationship between NRO and NREN?A12: In emerging territories that have no NREN, the NRO is sometimes a university. This allows eduroam to be deployed before an NREN exists. Even in more developed eduroam territories, the existing NREN may have outsourced the operation of eduroam to a third party, which is then the NRO. However, in the vast majority of cases, the NREN is at the same time the NRO.Q13: If there is time I would like to comment on the "Administrator Interface - Managed IdP User Management" interface page.The list of users becomes ugly if particular user has lot's of certificates issued/revoked.So, it would be very good to have possibility to have a pop-up lines for each user in the list.A13: This has been reported before and our next code update 2.0.3 cleans this up in the user interface. That code is already finished and awaits deployment in the coming weeks.Q14: Just for clarity you don’t need to have authentication system to use the service.A14: That is correct. No local infrastructure is needed. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download