An eduroam IdP (Identity Provider) facilitates Internet access for their users via any eduroam WiFi hotspot in the world, by authenticating them as they roam.
Only organisations that are members of the academic & research community are eligible to become an IdP. An organisation seeking to become an eduroam IdP must undergo an approval process to establish their eligibility.
eduroam IdP Architecture
An IdP requires a Radius service which handles incoming authentication requests, and authenticates against the IdP's user database.
The IdP may manage their own Radius service, or they can contract this to a third party. HEAnet offer a Managed Radius service to eligible clients, contact HEAnet for further info.
For eligible organisations constrained by resources and/or budgets, and with fewer than 200 users, GÉANT offer a free eduroam Managed IdP service. Contact HEAnet for further info.
eduroam IdP ObligationsThe implementation of an IdP service requires the IdP to:
- Engage with HEAnet to join eduroam.
- Provide the (globally unique) realm(s) to be used by the IdP's users.
- Provide static/permanent public IP address of at least one, and preferably two, Radius servers.
- Obtain a suitable SSL certificate for the Radius server(s). The certificate may be signed by a private CA or a public CA, the same certificate should be used on all of the IdP's Radius servers.
- Read the Irish eduroam policy and satisfy themselves that they can comply with its requirements.
- Retain their Radius logs as per the policy.
- Support their users when roaming.
- Unless exceptional circumstances apply, an eduroam IdP is obliged to also act as an eduroam SP.
Information Required From eduroam IdPFollowing successful testing of the eduroam IdP service, the IdP must provide the following information in order to be officially registered as an eduroam IdP:
- The postal address of the IdP.
- Contact details for local IT support/Helpdesk for IdP users, to include: role name, email address, phone number.