The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Václav Mach <machv AT cesnet.cz>]

Hi,

On 3/20/19 3:14 PM, Stefan Winter wrote:
> Hello,
>
> > is it currently possible to view details about some institution in the
> > NRO's competence (ie .cz) in eduroam CAT? If this is not available,
> > would it be possible to add this kind of admin access? We think it would
> > enable the NRO admins to do some further debugging, even if all the
> > information is read only.
>
> An NRO admin can always get himself access to any institution within its
> NRO. The button is behind "Add/Remove administrators" and is labelled
> "Take control of this institution".
>
> Following that action, the NRO admin is also considered IdP admin of the
> institution in question and has full read/write access.

is that the only way, how to get to the information about specific 
institution? While this is not bad, it may be cumbersome to do this with 
more than a few institutions. I personally do not see why NRO operators 
should not have at least read only access to all institution in the 
NRO's competence.

>  From what I hear, this is regularly used to help institutions debug any
> problems they may have. You can of course remove yourself from the list
> of admins when you are done.

I see adding and removing myself as administrator before and after 
debugging as extra unnecessary work.

> > Would it be also possible to add an API access to this information? We'd
> > like to access especially the certificate info to do some verifications
> > on the EAP certificates that institutions actually use.
>
> There is a user-API call to list all institutions, all profiles within,
> and to download the corresponding installers. There is also a
> "installer" which contains a simple ZIP of all relevant settings
> including the CA certificates, which is useful for conducting automated
> tests.

This seems great, i'll take a look at that.

> This should cover the use case you indicated.
>
> This being the user API, it will not give you access to settings which
> were not marked as production-ready by the institution. If you want
> access to such institutions/profiles, then you need to use "Take
> Control" interactively, as described above.

Thats ok, no need to work with non production-ready.

cheers,
Vaclav
--
Václav Mach
tel: +420 234 680 206
CESNET, z.s.p.o.
www.cesnet.cz

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature