Identity Provider (IdP)¶

An eduroam Identity Provider authenticates users from its own institution. The IdP is responsible for validating credentials, enforcing authentication policy, and returning the final RADIUS decision for users of its realm.

IdP Responsibilities¶

An IdP should:

• operate a reliable FreeRADIUS service
• publish and maintain its realm registration through the national federation
• issue clear user configuration guidance
• maintain valid server certificates
• integrate with the institution's identity source
• log and investigate authentication issues

Authentication Model¶

When a user connects at any participating site, the Service Provider forwards the EAP request through the federation based on the realm in the username, for example user@institution.ac.ke. The request reaches the home institution, where the IdP validates the credentials against its local identity store.

The IdP should support modern EAP methods:

• PEAP-MSCHAPv2 for broad client compatibility
• EAP-TTLS/PAP for LDAP and similar backends
• EAP-TLS for managed devices and certificate-based authentication

Identity Integration¶

Common backends include:

• Active Directory
• LDAP
• SQL-backed identity database
• synchronized institutional identity platforms

The identity store should provide:

• stable usernames
• correct realm mapping
• group or attribute data for authorization
• password and account lifecycle control

Realm Registration¶

The institution's realm must be registered with the national eduroam operator so that requests are routed correctly. The registered realm should match the usernames issued to users and the local FreeRADIUS realm configuration.