A cross-layer SSO solution for federating access to kerberized services in the eduroam/DAMe network

Eduroam has become one of the main examples of network federations around the world, where hundred of institutions allow roaming end users to access the local network if they belong to any other eduroam member institution. In this context, this paper proposes how, once the end user is authenticated by the network, she can access additional federated application services (beyond the web) by means of Kerberos, without deploying additional cross-realm infrastructures. With the support of existing eduroam architecture, this proposal prevents the end user from being fully authenticated by her home institution again to access the application services, which do not need to be modified. Finally, optional advanced authorization can be used to provide added value services to end users.