Federated identity: connecting to worldwide networks

In the near future, Fermilab employees and users will be allowed use their Services accounts to access secure wireless networks at other institutions participating in the eduroam service.

In the real world, you frequently need to identify yourself to prove that you are really you. One common proof of your identity is your driver license. Fortunately, you don’t have to carry a separate license for every state you travel to in order to, say, pass an airport security check. But this is exactly the situation that prevails in cyberspace, where you need different identification methods for almost all the services you want to use.

Fermilab employees and users are often part of global collaborations that require work at remote sites in a variety of locations. When on work-related travel, users may need Internet access to perform their work. In the past, obtaining access usually required registration or an account at the visited institution. This may have delayed gaining access to the necessary network and was generally inconvenient.

The Computing Sector is currently working to address this issue. Through Fermilab users’ Services accounts (the same account used to access FermiMail or Fermilab Time & Labor), users will be allowed to obtain network access at a large number of research and educational institutions worldwide. In particular, they will be allowed to access secure wireless networks at remote institutions that participate in eduroam.

Eduroam (education roaming) is a network access service developed for the international research and education community. A worldwide initiative by many universities and organizations, eduroam enables users to identify themselves and prove who they are at the many participating institutions by using what is known as a federated identity. This is an identity that is accepted by all members, just as a single valid state driver license is universally accepted in U.S. airports.

Once eduroam is available for use, it will be the first step in a larger program to provide greater convenience to users through federated identities. First, Fermilab personnel will be able to use their Fermilab Services accounts to access eduroam networks at remote sites. Several Fermilab scientists have already test-driven the system to access an eduroam network at CERN. Next, certain Fermilab services will be made available to remote individuals who use the trusted federated identity issued by the remote site. Watch this space for future developments.

Instructions for setting up your Windows 7, Windows 8 or Mac systems to use eduroam networks will be made available in this article (Service Desk login required).

-Irwin Gaines