terena networking conference 2010

Issuing Eduroam Accounts via SAML Federation for Location Privacy Protection

Motonori NAKAMURA (National Institute of Informatics - Japan), Takaaki Komura, Yasuo Okabe (Academic Center for Computing and Media Studies, Kyoto University - Japan)

Eduroam is the world-wide roaming access service using wireless LAN technologies such as 802.11b/g with 802.1x authentication developed for the international research and education community. Authentication mechanism of the eduroam uses RADIUS server hierarchy operated by universities, institutions and countries which participating to the eduroam. With such hierarchically operated RADIUS authentication system, location privacy of users may be invaded when a user connects to a wireless access point of the eduroam at his/her organization or other organizations he/her visited because usernames and domain (organization) names can be observed and recorded in logs on RADIUS servers located on a path from the organization the wireless access point is located and his/her home organization. Therefore we propose a method to use pseudo account which is issued by a system in a SAML federation. Since the issued account for a user has anonymity and is independent from his/her organization, location privacy of users can be protected. The proposed method also provides traceability of users and can bind an pseudo account with a real user when a serious incident occurs by gathering information among a RADIUS server, an account issuing server and an IdP of the organization he/her belongs in a SAML federation.

Download poster (PDF)