Skip to content

Combined IdP and SP Deployment

Most institutions operate as both an Identity Provider and a Service Provider. In this model, the same organization authenticates its own users and also provides network access to visitors.

Benefits

  • local users can connect on campus and while roaming
  • visiting users can connect without local guest accounts
  • a single RADIUS platform can enforce local authentication and proxy policy

Design Model

A combined deployment usually includes:

  • a primary and secondary FreeRADIUS server
  • local identity integration for institutional users
  • proxying to the federation for foreign realms
  • controller or AP integration for WLAN access
  • centralized logging and accounting

Policy Approach

Keep local and foreign traffic clearly separated in policy:

  • local realms are authenticated against institutional identity systems
  • foreign realms are proxied upstream
  • authorization may differ for local and visiting users
  • accounting should record both local and proxied sessions
  • keep local realm definitions explicit
  • use strong secrets for controllers and federation peers
  • test both local authentication and foreign-realm proxying after every significant change
  • document certificate renewal and failover procedures