The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Stefan Winter <stefan.winter AT restena.lu>]

Hi,

> I was thinking about operating our own CAT instance for this; but if I do, 
> I want to run unmodified CAT code. I agree that it might not be the best 
> idea to enable such an interface on the public CAT instance.

The deployment of Managed IdP is of different nature than CAT:

CAT should really be one central instance, knowing about all the
(normal) IdPs in eduroam - because its webpage is a well-known
entrypoint for "everybody" - including Apple KB articles pointing there.

Managed IdP does not have an end-user facing entry point. Users get in
touch with the system only by getting a link to their personal download
page. That's much more friendly towards separate instances: different
instance merely means the link has a different hostname in it. If you
want to run your own server, just do it, there is no usability drawback
in that.

I don't think you'd need any modifications, except maybe a different
skin for the UI frontend to match SWITCH branding. And since we do have
a skin system in place, coding that should be compartmentalised in one
subdir of the UI frontend, i.e. easy.

A little bit of work is of course to marry the system with your own CA
infrastructure in the backend. Current master branch already foresees
the ability to plug different CA backends into the system; that change
is not in the release_2_0 branch though.

>     Alternatively, if you can live with becoming a Managed IdP user and with
>     leaving the cert generation to us: the existing API allows an NRO
>     operator to remote-control all the important aspects of the system down
>     to the individual user level. That way, you could create those 100K
>     users in the system, issue 100K invitation URLs, make us send them to
>     the users via E-Mail or SMS, and have them pick up their eduroam
>     credentials with that.
> 
> Well, would you be comfortable to have that many MIdP users long term? 
> (with several devices per user, I imagine we could reach 1 million 
> certificates within a couple of years).

This is something that time will tell. My own stress testing did 1M user
creations and certificates incl. OCSP statements and it took the system
a few hours to get that done (highly parallelised, and with 8 CPU
cores). A million over a few years thus doesn't look terribly daunting.
But we'll see about that when the time has come.

> What I haven’t checked for the managed IdP: I need to use a specific realm, 
> routed to our own radius servers, as these will do extensive authorization 
> and attribute mapping based on the users shibboleth attributes. 

Managed IdP always uses a "base" realm and routes to that. In our
deployment this is @....hosted.eduroam.org but as with everything else
in the system: this is configurable.
>     The only limitation here would be non-technical: the soft limit for user
>     count in eduroam Managed IdP is going to be 10K users per NRO. More is
>     certainly possible, but we'd have to discuss some kind of a paid plan
>     for that bulk usage.
> 
> Well, operating our CAT instance and using the managed IdP API might also 
> be an option. Need to have a closer look.

Don't hesitate to get back to me or the -devel list for deployment
advice. Our own deployment is envisaging 1M users from start (100 NROs x
10K users/NRO cap), and should be easily able to do that on a total of
four not-very-demanding VMs.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0xC0DE6A358A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature