Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

On the institution dashboard page, you see the most important pieces of data that you have entered. There is a button to create a new Managed IdP profile at the bottom. If you followed the wizard, it has already done that for you and you see an info card "Managed IdP" instead. It has a button labelled "Manage User Base". The buttons take you to your user management page.

Image Added

There is only one screen from which new user accounts can be created or imported, credentials can be assigned, and existing credentials and users can be decommissioned.

...

  • Manual: on the bottom of the page, there is an input box for a new username and the desired expiry date for that user. Filling in both and then clicking "Add new user" will create the new user instantly.
  • CSV import: for a bulk import of many users, there is a grey box: "Import users from CSV file" near the top of the page. The format of the CSV file is:
    Comma separated values in should be provided in CSV file: username, expiration date "in the form yyyy-mm-dd", number of tokens (optional):

...

Issuing access credentials

Once a user is created, it is displayed on the page along with Delete and New Credential buttons. Clicking on "New Credential" creates an invitation URL. The URL is then displayed on the administration page. It is up to the administrator how to get that URL to the user in question. We expect this to happen usually over email, but it is part of the pilot phase evaluation whether leaving the means up to the admin (as implemented now) is a good way forward; alternatives include allowing to send an email directly from the interface , and allowing text messaging, send via popular messengers, etc.

Invitation links are valid for one week from issuance, for the generation of a single access credential. The validity for the pickup by the end user is displayed to the right of the invitation link. Invitation links can be revoked by clicking the corresponding button on the right.

...

The system currently requires the re-validation once per year. Users which were not re-validated within the last 47 weeks are shown in yellow; users which were not re-validated within the last 50 weeks are displayed in red.

End-User Enrollment

Upon visiting the invitation link, there is only a single download button along with basic instructions. The operating system is auto-detected. When redeeming the invitation token that you sent your users they will see:

Image Added

The installation program is a CAT installer like usual, with the addition of a client certificate which is protected by the import password that is displayed on the screen. The addition of the import password provides a basic safeguard against credential sharing. Other safeguards (which could replace this UI-intensive step) such as maximum amount of MAC addresses are under consideration. Please report how well the import password method works for your users.

The installer sets up everything. The user should not need to interact with his operating system at all (at least, not any more than with other eduroam accounts).

Installer visibility on the user download page

...

If you have any questions about the eduroam Managed IdP website, please contact your eduroam National Roaming Operator first. They can escalate questions to the development team if need be. If you have questions about the underlying software, don't hesitate to ask on the mailing list cat-users@lists.geant.org . If possible, please subscribe to the list before posting; this guarantees that you'll get replies even if someone forgets a "reply to all", and also ensures that your post doesn't accidently get classified as spam and discarded.

Inputs from External Testing

  • Android support is paramount
    The product is much less useful without Android support due to the very high market share of Android devices. Work is ongoing to secure a development contract to retrofit the required capabilities to the eduroam CAT Android app.
  • Proper support for UDP fragmentation required
    Some testers reported problems with Windows 10 devices (but not on other OSes). Windows does not limit the size of its EAP fragments while other supplicants do; so to make Windows machines authenticate, the entire RADIUS path (including SP network) needs to be able to handle UDP fragmentation.
  • Small bugs
    • Windows installer shows "EMAIL / WWW support" text even if not configured by the admin. Notified TW.