Description

Under the title of "Integration of an identity metasystem into the eduroam architecture to provide an unique unified single sign-on service" lays my C.S. ending degree project.

It's an extension of the eduroam concept open your laptop and contect. The deal was making a proof of contept that allowed an user to log on eduroam, get a virtual identity and use this identity on their wish on all the federated-with-eduroam services so he could authenticate giving their credentials only once, when they logged on eduroam.

The features were given by using this software:

• Microsoft Cardspace (a.k.a Infocards) as the virtual identity selector.
• simpleSAMLphp as the Identity Provider, Service Provider and Secure Token Service (also thanks to the XMLseclibs).
• Digital Me as the client identity selector (the log was very very useful).
• WPA Supplicant as the WiFi connector.
• freeRADIUS as the radio server to emulate a eduroam access point.
• Perl as the glue. (radius module, user connector, etc).
• Zenity as de dialog generator.
• Drupal to emulate a Relaying Party (a trust-in-eduroam service).

Contributions

The result of so much work was the following documents:

• The book itself. You can download here or at RedIRIS.
• The slides of the presentation.
• The simpleSAMLphp infocard module.
• More software used on the prototype: the Perl connector, freeRADIUS module, WPA Supplicant module, etc. Available at RedIRIS.

Appereances

2010 April - Boletín de RedIRIS Nº 88-89

Acknowledged at "Propuesta de arquitectura de uSSO en eduroam empleando tecnología de Infocard."

• Document.

2009 June 9 - TNC2009, Málaga (Spain)

An Infocard-based proposal for unified single sing on.

• Slides.
• Video, from 61:40.

2009 April 24 - Feide RnD

Release of the first prototype.

2008 December 2 - 18th TF-Mobility Meeting, Utrecht (The Netherlands)

InfoCard and eduroam - Enrique de la Hoz (University of Alcala) (30 m).

• Slides

Video example

This is a 1280x800 px video that shows the prototype working. The key steps are:

1. Launch the RADIUS server with the custom Perl authentication module.
2. Launch the client-side Perl connector.
3. The connector opens the identity selector.
4. The user selects the self-issued infocard that will be used as the token when generating their virtual identity.
5. The connector ask for the user's eduroam credentials (username and password). WiFi card driver is not relevant.
6. Authentication is done and the infocard id is passed to the Radius server.
7. A branded infocard built upon the self issued one is returned to the user (as a one-time URL) and is loaded into the identity selector (the connector is still running).
8. Now the user can achieve a SSO login against the IDP. The first attemp is done wrong on purpose.
9. The connection is also logged on a PostgreSQL database. Useful when setting a TTL to the card.

You can also see this video at professor EDLH's UAH page.