UCTrust Workgroup
Child pages
  • UCTrust Wireless Notes - 2010-07-12

UCTrust Wireless Notes - 2010-07-12

UCTrust Wireless Agenda - 2010-07-12 

Participants

Robert Cartelli, UCSC
Dedra Chamberlin, UCB
Patrick Flannery, UCDHS
Bob Grant, UCR
Russ Harvey, UCR
Erik Klavon, UCB

Gabe Lawrence, UCSD
ken lindahl, UCB
Jeff McCullough, UCB
Mark Redican, UCD
David Walker, UCD
Albert Wu, UCLA

Why Not Eduroam?

  • Campuses will likely implement eduroam, but there is concern over the lack of policy and agreements on operation.
  • The consensus was that we should continue our work on the Shibboleth / captive portal approach.
  • We should also work with the eduroam community to ensure that good policies and operational agreements are reached.

Authentication and Authorization

  • We decided not to use "member" affiliation to make authorization decisions, as that is burdened with meaning for multiple services.  Instead, we will define an eduPersonEntitlement value to indicate this person should be given wireless guest access.
  • The consensus was that we will use four attributes:  ePPN, name, email, and ePEntitlement.
  • We acknowledged that (technically) it is a local decision of the host campus to decide which attributes to require.  From the perspective of policy, though, we'll continue to discuss the issue.
  • There may be some problems of people who can use Shibboleth but not wireless and vice versa.
    • There is likely an issue where guests will gain access to library and other materials while they are guests.  This is an artifact of the implementation, however, the only expectation is that guests get wireless Internet access.
    • This is already an issue, but we'll want to check with the library community about this.
  • As we develop our "captive web portal / Shibboleth" strategy for guest wireless access, we need to work with the InCommon / eduroam community to ensure it can extend beyond UC.

Network Accessibility to Home Campus IdPs before Authentication

  • For the pilot, we will distribute IP addresses via electronic mail. We'll have to come back to this issue, though, before the services is extended beyond the pilot.

Project Plan

  •  Tasks for wireless providers
    • Integrate Shibboleth into web portals as a new SP.
    • Work with campus IdP to register the SP with InCommon (and UCTrust).
    • Open network access to IdP-required addresses for as-yet unauthenticated guests.
  • Tasks for identity providers
    • Implement the ePEntitlement value for guest wireless access.
    • Pprovide IP addresses that must be accessible as UCTrust metadata.
    • Release attributes to the wireless SPs, as they are deployed.
  • Tasks for the project group
    • Define the ePEntitlement value for guest wireless access
    • Address policy and operational issues
      • Authorization decisions and the attributes that support them.
      • Appropriate use policies
        • How can guests be told of local AUPs?
        • Should we strive for consistency of AUPs?
      • How do we support users in a federated environment?
        • Probably use UCTrust's documentation of support contacts, UI guidelines, etc.

Other Issues

  • Everyone is asked to add a contact name/address to the "portal used" column of Existing Campus Wireless Authentication to facilitate solution strategies when two campuses use the same product.
  • Next call in about 2 weeks.  Everyone should think about their tasks and estimate time lines so we can aggregate them in the next call.
  • No labels