The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Daniele Albrizio <albrizio AT units.it>]

Well, Stefan, I'm interested in this evolution of the eduroam CAT service too.
We have about 23k  potentially active eduroam users and we would like to 
issue them a one-time (per install) keypair or, if not possible, a long live 
pair to avoid easily bad configured clients without server trust validation 
(users forcing not to check the server certificate). This should be, as you 
can easili figure out, SAML or openid connect authorized.
We do not have internal man power to set up such a solution and neither we 
can afford to outsource such a project, so I think a centralized project with 
a fairly paid plan could be an affordable solution for us.

Yes, it sounds as a "me too" :)

Daniele

On 26/11/18 08:59, Stefan Winter wrote:
> Hello,
>
> > We are currently thinking about a larger scale IdP (100k+ Users) that would 
> > use client certificates for authentication.
> > To distribute those certificates, the CAT installers/profiles would be a good 
> > option (as the v2 Hosted IdP does).
> >
> > Is there an API call (like 'generateInstaller') that would accept a 
> > certificate .pem to include in the installer?
> > Or any other ideas to handle this?
> The installer would need to have the certificate *and* private key. Our
> basic assumption behind CAT (and MIdP) was that we don't want anyone
> else's secrets, and expect nobody to want to send them to us anyway; so
> uploading a private key is indeed not foreseen.
>
> For eduroam Managed IdP, the communication is unidirectional. Our system
> itself generates a private key, and sends it out in the installer
> (PIN-protected on the transport leg).
>
> If you really are comfortable with sending us the future users' private
> keys(?) then we could probably create an API call to generate
> "MIdP-like" installers from that external source. Unfortunately, some
> installers require us to know the private key in clear (ChromeOS
> encrypts the entire configuration file with the PIN, not just the
> private key portion).
>
> Alternatively, if you can live with becoming a Managed IdP user and with
> leaving the cert generation to us: the existing API allows an NRO
> operator to remote-control all the important aspects of the system down
> to the individual user level. That way, you could create those 100K
> users in the system, issue 100K invitation URLs, make us send them to
> the users via E-Mail or SMS, and have them pick up their eduroam
> credentials with that.
>
> I used those API calls extensively during the development phase for
> stresstesting (and my tests went up to 1M users).
>
> The only limitation here would be non-technical: the soft limit for user
> count in eduroam Managed IdP is going to be 10K users per NRO. More is
> certainly possible, but we'd have to discuss some kind of a paid plan
> for that bulk usage.
>
> Greetings,
>
> Stefan Winter
--
Daniele ALBRIZIO - daniele.albrizio AT units.it
         Tel. +39-040.558.3319
  UNIVERSITY OF TRIESTE - Network Services
     Unita' di Staff Reti di Ateneo
via Alfonso Valerio, 12 I-34127 Trieste, Italy

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature