Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] NRO admin access to managed institutions

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] NRO admin access to managed institutions


Chronological Thread 
  • From: Václav Mach <machv AT cesnet.cz>
  • To: cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] NRO admin access to managed institutions
  • Date: Wed, 20 Mar 2019 15:26:02 +0100

Hi,

On 3/20/19 3:14 PM, Stefan Winter wrote:
Hello,

is it currently possible to view details about some institution in the
NRO's competence (ie .cz) in eduroam CAT? If this is not available,
would it be possible to add this kind of admin access? We think it would
enable the NRO admins to do some further debugging, even if all the
information is read only.

An NRO admin can always get himself access to any institution within its
NRO. The button is behind "Add/Remove administrators" and is labelled
"Take control of this institution".

Following that action, the NRO admin is also considered IdP admin of the
institution in question and has full read/write access.

is that the only way, how to get to the information about specific institution? While this is not bad, it may be cumbersome to do this with more than a few institutions. I personally do not see why NRO operators should not have at least read only access to all institution in the NRO's competence.


From what I hear, this is regularly used to help institutions debug any
problems they may have. You can of course remove yourself from the list
of admins when you are done.

I see adding and removing myself as administrator before and after debugging as extra unnecessary work.


Would it be also possible to add an API access to this information? We'd
like to access especially the certificate info to do some verifications
on the EAP certificates that institutions actually use.

There is a user-API call to list all institutions, all profiles within,
and to download the corresponding installers. There is also a
"installer" which contains a simple ZIP of all relevant settings
including the CA certificates, which is useful for conducting automated
tests.

This seems great, i'll take a look at that.


This should cover the use case you indicated.

This being the user API, it will not give you access to settings which
were not marked as production-ready by the institution. If you want
access to such institutions/profiles, then you need to use "Take
Control" interactively, as described above.

Thats ok, no need to work with non production-ready.

cheers,
Vaclav
--
Václav Mach
tel: +420 234 680 206
CESNET, z.s.p.o.
www.cesnet.cz

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.19.

Top of Page