?
Механизм прав на основе групп пользователей в EDUROAM – федеративной системе управления доступом к сетевым ресурсам научно-образовательных сетей
The paper describes a federated identity management infrastructure based on eduroam. This technology enables secure authentication using single netid for network and resources access in eduroam federation. Major protocols and technologies for transparent user authentication are covered. A way of authorization, based on membership in institutional groups and individual user membership is proposed. For user authentication a service provider sends an authentication request contained the encrypted user name and password to user's institute RADIUS server (identity provider). Identity provider is determined by the domain user name/ The authentication request is passed through th eduroam hierarchy of proxy RADIUS servers. If the service provider provides special access for a certain group of users, it also sends a request to group identity RADIUS-server. A request passes through a hierarchy of group RADIUS servers for group membership checking. Eduroam federation and group RADIUS servers hierarchies are based on the domain name system. The implementation of these mechanisms requires a slight modification of service provider RADIUS server for group support and do not require changes of the identity provider and eduroam federations RADIUS servers. Group support is fully compatible with the existing eduroam infrastucture, the both types of RADIUS servers with and without group support can operate simultaneously