Traditional eduroam Deployments
In a typical eduroam deployment, users authenticate against eduroam infrastructure partially operated by their home organisation. To participate in eduroam, an organisation is generally required to deploy and manage:
-
A RADIUS server to handle eduroam authentication requests.
-
An Identity Provider (IdP) system (such as Active Directory, LDAP, or a cloud IdP) to validate user credentials.
In this model, the RADIUS server and IdP are usually managed by the same organisation and are tightly integrated. While this approach is well established, it introduces operational and infrastructure requirements that can be a barrier to entry — particularly for organisations without existing RADIUS expertise or on‑premises infrastructure.
Removing RADIUS Requirements
The eduroam Managed IdP is designed to remove the need for organisations to deploy and operate their own RADIUS infrastructure.
Instead of operating their own RADIUS server, an organisation can connect its existing IdP to the REANNZ‑operated eduroam Managed IdP.
REANNZ operates the RADIUS infrastructure required for eduroam participation, while the organisation continues to manage user identity and access within their own IdP.
How Authentication Works
The authentication flow differs from a traditional eduroam deployment in several key ways.
When a user downloads an eduroam configuration profile to their device via the eduroam Managed IdP, they are required to authenticate using their organisation’s connected IdP. Authentication is handled directly by the IdP.
Certificate-based Access
After successful authentication, the eduroam Managed IdP issues a signed client certificate and embeds it into the downloaded eduroam configuration profile. This certificate is used by the device to authenticate to eduroam, rather than a username and password.
Authorisation at Connection Time
When the user’s device connects to the eduroam network using the downloaded profile, access is authorised based on the presence of a valid, correctly signed certificate issued by the eduroam Managed IdP. All RADIUS handling and certificate validation is performed by the eduroam Managed IdP service.
Certificate Lifetimes and Access Control
Certificates issued by the eduroam Managed IdP are configured to expire after a fixed period. This provides a simple and predictable mechanism for controlling ongoing access to eduroam:
-
Users must periodically re-authenticate via the organisation’s connected IdP to obtain a renewed certificate.
-
If a user’s account is disabled or loses access in the upstream IdP, they will be unable to renew their eduroam certificate.
-
Users of the geteduroam app will receive notifications when their certificate is approaching expiry.
This approach reduces reliance on long‑lived credentials and simplifies user access management without requiring direct certificate handling by the organisation.
Responsibilities and Scope
With the eduroam Managed IdP:
-
REANNZ operates
-
The RADIUS infrastructure required for eduroam
-
Certificate issuance and validation
-
Integration with the global eduroam infrastructure
-
-
The organisation manages
-
Its own IdP
-
User eligibility and access policies
-
Authentication requirements within the IdP
-
The Managed IdP does not replace an organisation’s existing IdP, nor does it manage user identities itself. It acts as a bridge between the organisation’s IdP and the eduroam network, while improving the overall experience for end-users.