Issue and Background
Cirrus Identity Bridge customers often want to deploy a Bridge so that they have an IdP in the InCommon Trust Federation. During deployment, we will ask them what initial service they want to integrate with. With increasing frequency, they will say they want to use it with the InCommon Certificate Service (https://incommon.org/certificates/) or with eduroam (https://incommon.org/eduroam/).
In the past, the Cirrus Team would take a moment to explore those choices more deeply. On the face of it, deploying an IdP has very little to do technically with either issuance of certificates (the goal of the Cert Service) or operating federated wireless access (the goal of eduroam).
However, there are practical reasons to operate an IdP for both deployments. Such an IdP can be a traditional deployment or a federation adaptor deployment such as the Cirrus Bridge (https://www.cirrusidentity.com/solutions/incommon-and-edugain-services). This article will explain why an organization might consider deploying an IdP in a Trust Federation to support InCommon Certificate Service or eduroam deployments.
InCommon Certificate Service
InCommon offers the InCommon Certificate Service (Cert Service) to the higher education community, providing unlimited server and personal certificates at a low, fixed fee (https://incommon.org/certificates/subscribe/). While the use of certificates issued by the Cert Service doesn’t directly depend on an InCommon registered IdP, management of the Cert Service is performed using the InCommon Certificate Manager. The most practical way for organizations to manage access to the Certificate Manager is through the use of the Organization’s InCommon IdP. This is especially critical in scenarios where large numbers of personal certificates are being managed.
eduroam
Internet2 is the operator of eduroam for the United States region. eduroam (education roaming) is the secure, worldwide roaming wireless service developed for and by the international research and education community (https://incommon.org/eduroam/connect/). The technology used to implement eduroam is based on RADIUS server implementations and the 802.1x wireless networking protocol. While these technologies don’t directly depend on an InCommon registered IdP, there are two services organizations typically deploy with eduroam.
One service is the InCommon Federation Manager (Fed Manager). InCommon Federation Manager is used by Organizations to configure their eduroam registration with InCommon so that their Organization can participate in the global federation of eduroam capable wifi hotspots. While not mandatory, the pragmatic way for an Organization to access Fed Manager is with an InCommon registered IdP for their organization.
The other service is the eduroam Configuration Assistant Tool (CAT - https://eduroam.org/configuration-assistant-tool-cat/) used to simplify the deployment of eduroam configurations to end user devices. While this is an optional service, many organizations use it to improve the user experience. It is also optional to require authentication to download the configuration, but some organizations require end users to authenticate before gaining access to the configuration. For organizations that choose this path, an IdP registered in the global eduGain trust federation of which InCommon is a participant, is needed.
Recommendation
For customers deploying either the InCommon Certificate Service or eduroam, the Cirrus Bridge may help the organization succeed if a trust federation IdP is a needed component to the deployment.