The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hello Daniele,

well, be our guest :-)

Basically, you only need to do the SAML bits yourself (create a SAML SP)
and a database that maps the SAML identities to the newly created
eduroam Managed IdP user accounts.

The API calls are simple JSON constructs and a full user provisioning
workflow involves the following calls:

One profile for each user group:

ACTION_NEWINST
ACTION_NEWPROF_SB

For every user inside such a group:

ACTION_ENDUSER_NEW
ACTION_TOKEN_NEW

There are also API calls to revoke tokens and certificates, deactivate
users etc.

So your SAML SP merely needs to do an HTTP POST of some JSON data to get
things done.

More details on the admin API for CAT 2.0 and Managed IdP are here:

https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+2.0+and+eduroam+Managed+IdP+for+National+Roaming+Operator+administrators#AguidetoeduroamCAT2.0andeduroamManagedIdPforNationalRoamingOperatoradministrators-UI-lessAutomatedManagement:theAdminAPI(2.0)

Greetings,

Stefan Winter

Am 26.11.18 um 09:52 schrieb Daniele Albrizio:
> Well, Stefan, I'm interested in this evolution of the eduroam CAT
> service too.
> We have about 23k  potentially active eduroam users and we would like to
> issue them a one-time (per install) keypair or, if not possible, a long
> live pair to avoid easily bad configured clients without server trust
> validation (users forcing not to check the server certificate). This
> should be, as you can easili figure out, SAML or openid connect authorized.
> We do not have internal man power to set up such a solution and neither
> we can afford to outsource such a project, so I think a centralized
> project with a fairly paid plan could be an affordable solution for us.
> 
> Yes, it sounds as a "me too" :)
> 
> Daniele
> 
> On 26/11/18 08:59, Stefan Winter wrote:
>> Hello,
>>
>>> We are currently thinking about a larger scale IdP (100k+ Users) that
>>> would use client certificates for authentication.
>>> To distribute those certificates, the CAT installers/profiles would
>>> be a good option (as the v2 Hosted IdP does).
>>>
>>> Is there an API call (like 'generateInstaller') that would accept a
>>> certificate .pem to include in the installer?
>>> Or any other ideas to handle this?
>> The installer would need to have the certificate *and* private key. Our
>> basic assumption behind CAT (and MIdP) was that we don't want anyone
>> else's secrets, and expect nobody to want to send them to us anyway; so
>> uploading a private key is indeed not foreseen.
>>
>> For eduroam Managed IdP, the communication is unidirectional. Our system
>> itself generates a private key, and sends it out in the installer
>> (PIN-protected on the transport leg).
>>
>> If you really are comfortable with sending us the future users' private
>> keys(?) then we could probably create an API call to generate
>> "MIdP-like" installers from that external source. Unfortunately, some
>> installers require us to know the private key in clear (ChromeOS
>> encrypts the entire configuration file with the PIN, not just the
>> private key portion).
>>
>> Alternatively, if you can live with becoming a Managed IdP user and with
>> leaving the cert generation to us: the existing API allows an NRO
>> operator to remote-control all the important aspects of the system down
>> to the individual user level. That way, you could create those 100K
>> users in the system, issue 100K invitation URLs, make us send them to
>> the users via E-Mail or SMS, and have them pick up their eduroam
>> credentials with that.
>>
>> I used those API calls extensively during the development phase for
>> stresstesting (and my tests went up to 1M users).
>>
>> The only limitation here would be non-technical: the soft limit for user
>> count in eduroam Managed IdP is going to be 10K users per NRO. More is
>> certainly possible, but we'd have to discuss some kind of a paid plan
>> for that bulk usage.
>>
>> Greetings,
>>
>> Stefan Winter
>>


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0xC0DE6A358A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature