Service conditions

Pseudonymous usernames

It's not possible to pin point a specific user based on the username in the radius authentication. E.g 0dvao55fftqecma2@

Domain

The radius realm is enriched with the "domain" (schacHomeOrganization) from the connecting organization. Dots are replaced with dashes. E.g 0dvao55fftqecma2@sunet-se

Affiliation

The radius realm of the user is enriched with the affiliation associated with the user. We require at-least one affiliation, but can support multiple (prioritized by customer). E.g 0dvao55fftqecma2@sunet-se--member.v1.geteduroam.se

Read more about the affiliation in SWAMIDs wiki

Versioning

We add a version to the radius realm for easier future rollover. E.g 0dvao55fftqecma2@sunet-se--member.v1.geteduroam.se

Validity

Each certificate/profile a user creates is valid for one year

Retention

Expired/revoked certificates/profiles are stored for 6 months

Tracing users (and revocation)

As for now only personnal at Sunet can trace or revoke a specific user. We hope to improve this in a near future™.

CAT

The institution handles their own profile(s) in eduroam CAT

Parallelization

It's possible (and recommended) to run the institutions old infrastructure for eduroam authentication side by side with geteduroam.

Rollout

It's possible test/rollout geteduroam at an institution without announcing it for all it's users.