Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Installers with certificate

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Installers with certificate


Chronological Thread 
  • From: Fabian Mauchle <fabian.mauchle AT switch.ch>
  • To: Stefan Winter <stefan.winter AT restena.lu>
  • Cc: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] Installers with certificate
  • Date: Wed, 28 Nov 2018 09:38:27 +0000
  • Accept-language: de-CH, en-US

Hi Stefan,

On 26.11.18, 09:00, "Stefan Winter" <stefan.winter AT restena.lu> wrote:

Hello,

> We are currently thinking about a larger scale IdP (100k+ Users) that
would use client certificates for authentication.
> To distribute those certificates, the CAT installers/profiles would be
a good option (as the v2 Hosted IdP does).
>
> Is there an API call (like 'generateInstaller') that would accept a
certificate .pem to include in the installer?
> Or any other ideas to handle this?


If you really are comfortable with sending us the future users' private
keys(?) then we could probably create an API call to generate
"MIdP-like" installers from that external source. Unfortunately, some
installers require us to know the private key in clear (ChromeOS
encrypts the entire configuration file with the PIN, not just the
private key portion).

I was thinking about operating our own CAT instance for this; but if I do, I
want to run unmodified CAT code. I agree that it might not be the best idea
to enable such an interface on the public CAT instance.

Alternatively, if you can live with becoming a Managed IdP user and with
leaving the cert generation to us: the existing API allows an NRO
operator to remote-control all the important aspects of the system down
to the individual user level. That way, you could create those 100K
users in the system, issue 100K invitation URLs, make us send them to
the users via E-Mail or SMS, and have them pick up their eduroam
credentials with that.

Well, would you be comfortable to have that many MIdP users long term? (with
several devices per user, I imagine we could reach 1 million certificates
within a couple of years).
What I haven’t checked for the managed IdP: I need to use a specific realm,
routed to our own radius servers, as these will do extensive authorization
and attribute mapping based on the users shibboleth attributes.

The only limitation here would be non-technical: the soft limit for user
count in eduroam Managed IdP is going to be 10K users per NRO. More is
certainly possible, but we'd have to discuss some kind of a paid plan
for that bulk usage.

Well, operating our CAT instance and using the managed IdP API might also be
an option. Need to have a closer look.

Best regards,
Fabian




Archive powered by MHonArc 2.6.19.

Top of Page