The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi,

 I would like to make sure that I understand correctly. You would suggest that for certain IdPs, the IdP selection would result in federated authentication and authorization and that the download would not be possible without authorization?

This should be doable if more people thought that this is the right approach. Out of curiosity, how do you separate users who are allowed to use eduroam? Would this be really done on per user basis or rather would it be that you allow certain groups. In the second case you could probably just define CAT profiles for the authorized groups and one for everyone else. This last one would then implement a redirect to your local page which would tell them to  'forget it'.

This would not prohibit people downloading other profiles, but they would receive plenty of warning that stuff will nit work for them.

Tomasz

-----

Tomasz Wolniewicz

Dnia 1 lis 2013 o godz. 22:25 Robert Mertling-Blake <rm29 AT soas.ac.uk> napisał(a):

One thing we've looked at is using shibboleth to pre-auth users before downloading apple mobileconfig profiles - one reason being that we were considering making sure that only people entitled to connect to eduroam could do so, and those that weren't were given an explanation rather than connection issues - we also used the login data to prepopulate the username field (concatenating in @realm) in the mobileconfig profile.

Never got round to implementation on the entitlement side, but the pre-populated username has worked a treat.

Rob

On 1 Nov 2013 16:34, "Tomasz Wolniewicz" <twoln AT umk.pl> wrote:

Hi,
  frankly I would be against filling in the realm automatically. This would only work in a limited number of situations, and I think that it would only confuse users that sometines they need the full identifier and sometimes the user part is enough.
Alerting the user about the missing '@' would be fine, though.
Tomasz



W dniu 01.11.2013, 21:04, Brian Epstein pisze:

Hi Philippe,

    This is a good idea.

    On the same topic, one thing we noticed with the Windows tool is that
it didn't automatically fill in the domain.  Would it be possible to
automatically input the realm specified in the CAT tool in that field
as well?

Many thanks,
ep

On 11/01/2013 02:29 PM, Philippe Hanset wrote:
> One of the schools that uses CAT in our US federation asked me if
> it would be possible for CAT to automatically fill the REALM (or at
> least check for its absence and warn the user) when users enter
> their credentials. It doesn't have to automatically add the REALM
> but it could at least check for the existence of a structure of the
> form *@*

> BTW... will you add the LOGOUT button on the admin interface?

> Thanks,

> A bient?t,

> Philippe


> Philippe Hanset www.anyroam.net <http://www.anyroam.net>

>

--
Tomasz Wolniewicz   
  twoln AT umk.pl     http://www.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication
                                      Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750  fax: +48-56-622-1850 tel kom.: +48-693-032-576