Introduction to Moonshot August 2013 Why Moonshot? •Within education, there are a number of specialised federations: – UK federation - Access to web-based resources – eduroam - International wireless roaming – edugain - Access to resources worldwide •To build a single unified federation, we need a common interface, to allow us to federate anything and everything. Federations: Why Federate? •Costs can be reduced and shared •Users take better care of a single, reusable credential •Adding services is simple •Offers enhanced privacy to users •Access decisions can be delegated to the identity provider Federations: Why Federate? •The ATM doesn’t decide whether you get your money or not - that’s decided by your own bank •The ATM doesn’t validate your PIN and card either again, that’s checked by your own bank ABFAB Application Bridging for Federated Access Beyond web Interface: GSS •GSS-API is used by Moonshot to interface between applications and the relying party. – GSS is not the only API supported here - SASL and SSPI work too! Transport Credentials are transmitted from the end user to the RP using GSS - but how do the credentials then move credentials from the RP to the IdP? Transport: RadSec RadSec is a security focused evolution of RADIUS - a proven technology that you could be using right now. Moonshot uses RadSec to transport credentials between a Relying Party and the Identity Provider. Transport: RadSec •eduroam has been operating using RADIUS for 10 years •In the UK alone, there are currently 229 members •Last month, the UK saw 200,000 unique devices, and handled almost 10,000,000 successful authentications •54 countries worldwide Confidentiality One weakness that may be apparent is that credentials are sent to the RP - they could potentially alter them or worse, steal them. Confidentiality: EAP EAP provides a standard to encapsulate credentials, and protect them from being read by anything but the IdP - even the RP. EAP also provides “Channel Bindings” - allowing the IdP to verify the user is connecting to the RP they think they are. Rich Identity: SAML SAML provides a language to describe the properties a user might have - their role, email address, or name for example. Moonshot supports SAML, allowing the IdP to give this information to the RP. Moonshot Architecture (1) Credentialing (3) Authentication (5) Attributes (6) SSH session (2) SSH negotiation SSH client (4) RADIUS SSH server RADIUS server OpenSSH used as example of application; many others also apply 13 Scaling •Moonshot brings together a number of technologies: – GSS - a common interface between applications and services – RadSec - Secure AAA Transport – EAP - Protection for credentials – SAML - Rich identity information •How can these technologies be scaled for use beyond a single institution? Scaling: The Trust Router The trust router uses the concept of a “Web of Trust” to find a trusted path to a resource. You don’t necessarily trust the person holding the resource but you do trust the judgement of someone that can vouch for them. Scaling: The Trust Router University of Camford Janet Internet2 Oxfordshire NHS Trust Jisc Collections Blue Book Publishing Inc. Scaling: The Trust Router Moonshot and Trust Router Architecture Relying Party Session GSS EAP RP Proxy RadSec EAP Access-Accept Client TPQT.I. RadSec Access-Accept Trust Router Trust Router Temporary Identity IdP Proxy Trust Router Using Moonshot: UX [This slide intentionally left blank.] Using Moonshot: UX Using Moonshot: Why? •Enhanced UX and privacy – Improved SSO: users can access more resources more easily •No credential management – Home institution is responsible for provisioning credentials and support •Fine-grained security policies with minimal effort •Reduced management overhead Using Moonshot: Use Cases •Primarily Janet is supporting research users •Strong demand from local and central government, health, education and research for a federated desktop experience – Many desktops in these institutions run Windows – Janet’s SSPI provides this functionality already, but UX could be improved even further by tighter integration Using Moonshot: Use Cases “We aim to streamline access services using Moonshot technology, which will take the burden of authentication out of the hands of our users.” -- Dr Peter Oliver, Group Leader Science and Technology Facilities Council Using Moonshot: Use Cases “Moonshot is a valuable enabler for Cancer Research across the UK. It will make collaboration systems easy to build internally so that we can quickly share large data sets ,between institutes without complicating the management of that system.” -- Peter Maccallum, Head of IT & Scientific Computing CRUK Cambridge Research Institute Using Moonshot: Use Cases “Moonshot technology will give our university a better means of cooperating for research purposes using High Performance Computing” -- Alex Brulo, Senior Server Engineer (HPC) Aston University Using Moonshot: How •Anything that understands GSS or Kerberos can already support Moonshot. •Web based applications will be able to implement the Moonshot web plugin. •Non web applications - integrate GSS, SASL or SSPI directly. – Doing this will mean that it will work with not just Moonshot, but Kerberos/Active Directory, and more Janet’s Moonshot Pilot Moonshot Pilot Service •To assist pilot sites in implementing Moonshot to solve real use cases. •To fully test Janet support and infrastructure operations. •To develop, test & refine documentation, training and policies. •To inform and shape the business case for a full production service. Janet Pilot Sites • • • • • • • • • • • • • • • • London Research Institute Norfolk County Council Loughborough University Swansea University Newcastle University QCIF (also working with Monash Uni) Deutsches ElektronenSynchrotron Universidade do Porto University of Leicester Georgia Tech University of Leeds University of Nottingham Universidade Lusofona University of Westminster CANARIE Inc.. London Metropolitan University • Francis Crick Institute • E2BN (East of England RBC) • University of Edinburgh • Research Data, ISD, UCL • Queen Mary, University of London • Wellcome Trust Sanger Institute • GSI Darmstadt • University of Liverpoo • l University of Kent • University of Glasgow • University of Cambridge • University for the Creative Arts • Cardiff University and LIGO Scientific Collaboration • University of Leicester • STFC • Brunel University • Harper Adams University • University of Huddersfield • University of Southampton • Brunel University • Coleg Sir Gar • University of Sussex • University of Exeter • University of South Australia • Arkivum • Microsoft GÉANT GN3+ MOONSHOT PILOT GN3+ Pilot 2 year project to implement an eduGAIN pilot service to: • investigate the peering requirements between different NREN Trust Router infrastructures; • promote uptake of a standard non-web SSO solution across eduGAIN members; • implement non-web SSO for specific user-defined problems; • establish a policy framework within eduGAIN for pilot Communities of Interest Janet RedIRIS RENATER GN3+ NORDUnet (CSC) NIIFI SWITCH CESNET CARNet Further Information Moonshot Community website: • https://community.ja.net/groups/moonshot Software: • https://community.ja.net/groups/moonshot/wiki/getting-startedmoonshot-using-live-dvd Standards: • https://tools.ietf.org/wg/abfab THANK YOU Janet, Lumen House Library Avenue, Harwell Oxford Didcot, Oxfordshire t: +44 (0) 1235 822200 f: +44 (0) 1235 822399 e: service@ja.net