cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: Daniele Albrizio <albrizio AT units.it>, cat-users AT lists.geant.org
- Subject: Re: [[cat-users]] Installers with certificate
- Date: Mon, 26 Nov 2018 11:50:36 +0100
- Autocrypt: addr=stefan.winter AT restena.lu; prefer-encrypt=mutual; keydata= xsFNBFIplEwBEADTSz+DS8nio+RSvfSLLfaOnCGi1nqpn8Pb1laVUyEvnAAzZ5jemiS88Gxf iDH6hUGlWzcaW0hCfUHGiohr485adbjxRksPngWgAt/1bRxpifsW3zObFjgog01WWQV5Sihl wc4zr8zvYbFA5BJZ6YdkR9C5J015riv5OS30WTjA65SSXgYrb7zJWPwmegTFwE093uBFvC39 waz3xYpVu5j87nO6w2MVQt/8sY2/2BFPEq+xfOajl18UEwc7w8SCgnZdlVNcmEK4UBvJuwS/ 1lsR2JeQa8Gu1EDxC7PRgMgNXsDSWnnBe9aVmfG54+6ILe1QH2dwk9sPBQT5w2+vjijrb3Dv 9ur+1kN+TNU2XE436jVpnnY/3OsLdix30STQn4Q/XOm7YoVMeDwwviefilRxzK0dXA+wKj92 T68Od82CFxuZqPAgBCVmWfQM91iK9piqFK+QP+R3vF6+NGDBdwbe68iVKs0v5L8XmbxBQndj pmo+lo2asmBR2TAIfZHaKdgtBw13u3GPVVKlg/Mpko8ki9JOSem2aFyi3kQEVKptWgXT3POl 97DWJzsR5VyKz6GOx9kJAEISRyLZwm0wqh8+9LCza5oeIKW381lzq1b9x30vOh8CBSQQJ+cG 9ko0yPHAj7Suw2TmPXx1qMctmE6Ahq82ZW30SljdZby8WQuR2wARAQABzTxTdGVmYW4gV2lu dGVyIChSRVNURU5BIGtleSAyMDEzKykgPHN0ZWZhbi53aW50ZXJAcmVzdGVuYS5sdT7CwXkE EwECACMFAlIplEwCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDA3mo1ijncZj7/ D/99hVS+mJr8dSPCaDaUFFxBiT2eI1LoR8VKEerTCRw5BsdL6pN2eRJZ9NmsqWo1ynWVHEzO 91bNZ+oZGgyoNohcBAI7p+r0qUTzkyqwdZO4kMm0pqKoM9xkP3tf2mjGujKjOz4Y7S7wnz2Z FokeUsecoRVJF/++/qHnmeWLn44J1HUKLHYCjMu+QXGOgGXgz024jQ5eUrnPwzNp0Z90AFVH lWC+bymty/ToIUUCQqS5Ff0jzdWLd8U695OG9iGvjBQT1LdEjsfbAwuKV5UcnpxNqUpUwKa5 9hdX5/2cMZP07FI1UXwnBlxa8rJfdb13FLjSKX4vUUHedYUZMjMPgcwl1a+zGE22lHiSQWgP 8QLA/W3BLsi22ERCEPZBfexOeOtaWIItDIz18fIaQoMDoRPshzar0JI2CzLYsyeKySAtYJEH FVoLmMvhkwzBmgqA/BEswUA67CfCr1jFHRXdpmWM7YkyAmMa9q6LwquWKS5+MXlUXe/3oZUc gpw/T9Uuy3Jo3RdS7B3jFcWaVr6KsO/A9u1gr/aYn5M+iJTQSj4vzqtkQaJTpSspRZoKa66H Zt3IwSYiDiYZqtM83ynuj9kjnZzGfnuTaNIi996q6Mptr33mOzIE1wmMqnJYwTr3EcNtf483 q/qrJwh5ES8Q9xY7aat/ZcSl8fKubW4TlfVr8c7BTQRSKZRMARAAvBPpn7FQq7LQ5glohtbL 6XIEo1U4X67S0TzUYieENSWSVYuWYIhCBldmWdmH8Bpj/qHeqdon7v+SLtR4WngzMR9toupK cFfHnbP9kpazTSB2ySHxXWGX1gJOpPXdCcg9iveKBHEsDn00ThTcPsvtXpnnzET16pXIvOXO 0bxTmVZ4INIF1SWgvYma/g8kBbgXLpkj8tOywBqFiiYPEZlDeCxDHiMgUDh6olda9K/0TZFT dMPUgjKuubfAeaDNCOrVt4RjmFOaRLikcZocmgJhm3z/j25x7/mnNu+0di1H/S67YGQJ+pqC FInzIXDx7aRW2+JCiqsY2X3xOPWZZzjyis5SNnfOcPH3gt2hYz1fy+thsBGf4NgCN01JRqIJ 2/MOQCgUdwh+9l8xqaJvCkUHM4hVh4W62MAe1u7UEqQbvvNEqxM5034vcvlE+/LRkrDCspw+ 2YJ9QyroLerVRwW5DVleP8Ifi8VB3yD80nqXYs9aqRy0BkDNIQ43ERhESMt8dJqrNkxgC6pe mZrhNwyDh+hy2kPNGQh/iBpdKuH1o3E24TIZoV2v3YHvzob7aAYHddE/PofAXhJW7I9mAs+H dWDmnI8ckuPDFpFH+Y/BFGvEXgcnJAJ1wEvf+4LuiIi0MHjR4EWFn9vvoFDAIqD10h3FSd3D 59HGtdSsNn4XaCsAEQEAAcLBXwQYAQIACQUCUimUTAIbDAAKCRDA3mo1ijncZhBtEACL036d djc5pFoYIdoUY1vT8SMXJNquewCnL1quDADzqDZFU5GNlQEy10krSfBwlTb9ahTtE0JFrOdZ wUZtoa1Pgfr8nU6KOgrXPHbNjS/9dyc5CwGVVIpOavIm2CsMVDJ9LCF/NT+u/t1k6eGfHhPV l3dUQyDa/lzc1chKUIVQYQkFmr0A/iXP+29lFCaI+IeyU0bSdZhezDwUROn5vEx+fiPZyHDS hCb+BxJv/o2LQp9JHenCiSbO+ioRZdxgbWfoKBuXOfmSStqMWXas/gZ5vS3xq72LNtKPRxgp jX3P8Zml1XDqpcBau7eK75VKE0Yd06YxnUIsbcEzInUc3uzW/u0DFpXYkMJb0XIvJyUt5yYP KfV13N8kSkPi5pLxm8yuftXMzfgeFMR7nafY3glTVj/TxElzg6xeZNqfC2ZjIbBtZg9ylHU8 u8wwB+dX282crs0R3N9A064C71/cXlBqcjzjlKH2NUIWGxr+od3TXFIFjszSU3NgMPKrWNhF LLwS81MpbkOe73s6aDhS8RDyNucoxtKXriLR+4Xiu4+pyj5ukYP1JqpB3ZobY/XZgCnJMye+ 7xeTpIDJ1LPORxM3NNAElyb26lxAK2P+km+EpI0Zzz6rNSCfg5jYQ474+e/GBgaSG4MlaPoZ +XAfN46u1Xjjv1/AkkA4IA6m5zP5og==
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hello Daniele,
well, be our guest :-)
Basically, you only need to do the SAML bits yourself (create a SAML SP)
and a database that maps the SAML identities to the newly created
eduroam Managed IdP user accounts.
The API calls are simple JSON constructs and a full user provisioning
workflow involves the following calls:
One profile for each user group:
ACTION_NEWINST
ACTION_NEWPROF_SB
For every user inside such a group:
ACTION_ENDUSER_NEW
ACTION_TOKEN_NEW
There are also API calls to revoke tokens and certificates, deactivate
users etc.
So your SAML SP merely needs to do an HTTP POST of some JSON data to get
things done.
More details on the admin API for CAT 2.0 and Managed IdP are here:
https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+2.0+and+eduroam+Managed+IdP+for+National+Roaming+Operator+administrators#AguidetoeduroamCAT2.0andeduroamManagedIdPforNationalRoamingOperatoradministrators-UI-lessAutomatedManagement:theAdminAPI(2.0)
Greetings,
Stefan Winter
Am 26.11.18 um 09:52 schrieb Daniele Albrizio:
> Well, Stefan, I'm interested in this evolution of the eduroam CAT
> service too.
> We have about 23k potentially active eduroam users and we would like to
> issue them a one-time (per install) keypair or, if not possible, a long
> live pair to avoid easily bad configured clients without server trust
> validation (users forcing not to check the server certificate). This
> should be, as you can easili figure out, SAML or openid connect authorized.
> We do not have internal man power to set up such a solution and neither
> we can afford to outsource such a project, so I think a centralized
> project with a fairly paid plan could be an affordable solution for us.
>
> Yes, it sounds as a "me too" :)
>
> Daniele
>
> On 26/11/18 08:59, Stefan Winter wrote:
>> Hello,
>>
>>> We are currently thinking about a larger scale IdP (100k+ Users) that
>>> would use client certificates for authentication.
>>> To distribute those certificates, the CAT installers/profiles would
>>> be a good option (as the v2 Hosted IdP does).
>>>
>>> Is there an API call (like 'generateInstaller') that would accept a
>>> certificate .pem to include in the installer?
>>> Or any other ideas to handle this?
>> The installer would need to have the certificate *and* private key. Our
>> basic assumption behind CAT (and MIdP) was that we don't want anyone
>> else's secrets, and expect nobody to want to send them to us anyway; so
>> uploading a private key is indeed not foreseen.
>>
>> For eduroam Managed IdP, the communication is unidirectional. Our system
>> itself generates a private key, and sends it out in the installer
>> (PIN-protected on the transport leg).
>>
>> If you really are comfortable with sending us the future users' private
>> keys(?) then we could probably create an API call to generate
>> "MIdP-like" installers from that external source. Unfortunately, some
>> installers require us to know the private key in clear (ChromeOS
>> encrypts the entire configuration file with the PIN, not just the
>> private key portion).
>>
>> Alternatively, if you can live with becoming a Managed IdP user and with
>> leaving the cert generation to us: the existing API allows an NRO
>> operator to remote-control all the important aspects of the system down
>> to the individual user level. That way, you could create those 100K
>> users in the system, issue 100K invitation URLs, make us send them to
>> the users via E-Mail or SMS, and have them pick up their eduroam
>> credentials with that.
>>
>> I used those API calls extensively during the development phase for
>> stresstesting (and my tests went up to 1M users).
>>
>> The only limitation here would be non-technical: the soft limit for user
>> count in eduroam Managed IdP is going to be 10K users per NRO. More is
>> certainly possible, but we'd have to discuss some kind of a paid plan
>> for that bulk usage.
>>
>> Greetings,
>>
>> Stefan Winter
>>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0xC0DE6A358A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- [[cat-users]] Installers with certificate, Fabian Mauchle, 11/23/2018
- Re: [[cat-users]] Installers with certificate, Stefan Winter, 11/26/2018
- Re: [[cat-users]] Installers with certificate, Daniele Albrizio, 11/26/2018
- Re: [[cat-users]] Installers with certificate, Stefan Winter, 11/26/2018
- Re: [[cat-users]] Installers with certificate, Fabian Mauchle, 11/28/2018
- Re: [[cat-users]] Installers with certificate, Stefan Winter, 11/28/2018
- Re: [[cat-users]] Installers with certificate, Daniele Albrizio, 11/26/2018
- Re: [[cat-users]] Installers with certificate, Stefan Winter, 11/26/2018
Archive powered by MHonArc 2.6.19.