OpenRoaming and eduroam – Useful Information for eduroam Identity Providers and Service Providers

eduroam is a member of the Wireless Broadband Alliance (WBA) and a pioneer member of the OpenRoaming federation service. enabling automatic and secure Wi-Fi. eduroam strives to leverage the existing eduroam infrastructure to enable easy OpenRoaming participation for eduroam participants.

With tooling provided by the eduroam Operations Team (currently in a PoC phase) it is possible for eduroam Identity Providers and Service Providers to participate in  equivalent roles in OpenRoaming (OpenRoaming Identity Provider and/or OpenRoaming Access Network Provider). Use of these tools is subject to approval by the eduroam National Roaming Operator (NRO) to which the eduroam Identity Provider is connected. Currently, no eduroam NRO has opted out, so the service is available to all eduroam IdPs, worldwide.

For eduroam Identity Providers, OpenRoaming participation is not  an exclusive choice, but an optional add-on.

OpenRoaming Access Network Providers will only be able to authenticate the – currently still very small – subset of eduroam users  with an eduroam Identity Provider that have opted in.

The eduroam infrastructure tooling provides a significant portion of the steps needed to enable OpenRoaming, and is constantly evolving. However, some aspects of a deployment can only be done by eduroam participating organisations, on their own IT infrastructure.

eduroam Identity Providers (extending their role to additionally be OpenRoaming Identity Providers)

To enable support for OpenRoaming, eduroam Identity Providers need to implement several steps on top of their existing eduroam connection:

  • The DNS domain of the Identity Provider needs to provide a DNS record identifying it as an OpenRoaming realm. This DNS record needs to point to an endpoint accepting incoming RADIUS/TLS authentication requests (the eduroam Operations Team provides such an endpoint; there may also be specific endpoints on a national level, provided by the eduroam NRO).
    Note: It is possible that the OpenRoaming specification will evolve to require DNSSEC for that entry.
  • The Identity Provider needs to install OpenRoaming deployment profiles onto its end user devices, so that the devices recognise OpenRoaming hotspots and attempt the appropriate connection (the eduroam Operation Team’s eduroam Configuration Assistant Tool (CAT), has preliminary support for several operating systems and the next release (2.1) will support this in a more streamlined way).
  • The Identity Provider must make its end-users aware of the OpenRoaming Terms & Conditions prior to first use. This can be done out-of-band (e.g. during standard student sign-up procedures) or online during provisioning. Again, limited support for doing this during onboarding is present in the current CAT version, with refinements in the next version.

Initial configuration instructions are provided on the eduroam wiki:

eduroam Service Providers (i.e. future OpenRoaming Access Network Providers)

The configuration of Wi-Fi equipment for eduroam is independent of that for OpenRoaming. In order to enable a Wi-Fi hotspot for OpenRoaming the service provider must:

  • Have Wi-Fi equipment that supports Wi-Fi Certified Passpoint R1.
  • Use manufacturer-provided OpenRoaming uplinks or a PoC-level proxy operated by the eduroam Operations Team (note this option is only provided for existing eduroam SPs).
  • Allow access to the OpenRoaming user group “Educational or Research Identity, settlement-free, baseline QoS” as a minimum.

Initial configuration instructions are provided on the eduroam wiki:


Skip to content