Introduction to
Moonshot
August 2013
Why Moonshot?
•Within education, there are a number of specialised federations:
– UK federation - Access to web-based resources
– eduroam - International wireless roaming
– edugain - Access to resources worldwide
•To build a single unified federation, we need a common interface,
to allow us to federate anything and everything.
Federations: Why Federate?
•Costs can be reduced and shared
•Users take better care of a single, reusable credential
•Adding services is simple
•Offers enhanced privacy to users
•Access decisions can be delegated to the identity provider
Federations: Why Federate?
•The ATM doesn’t decide
whether you get your money
or not - that’s decided by your
own bank
•The ATM doesn’t validate
your PIN and card either again, that’s checked by your
own bank
ABFAB
Application Bridging for Federated Access Beyond web
Interface: GSS
•GSS-API is used by Moonshot to interface between applications
and the relying party.
– GSS is not the only API supported here - SASL and SSPI work too!
Transport
Credentials are transmitted from the end user to the RP using GSS
- but how do the credentials then move credentials from the RP to
the IdP?
Transport: RadSec
RadSec is a security focused evolution of RADIUS - a proven
technology that you could be using right now.
Moonshot uses RadSec to transport credentials between a Relying
Party and the Identity Provider.
Transport: RadSec
•eduroam has been operating
using RADIUS for 10 years
•In the UK alone, there are
currently 229 members
•Last month, the UK saw
200,000 unique devices, and
handled almost 10,000,000
successful authentications
•54 countries worldwide
Confidentiality
One weakness that may be apparent is that credentials are sent to
the RP - they could potentially alter them or worse, steal them.
Confidentiality: EAP
EAP provides a standard to encapsulate credentials, and protect
them from being read by anything but the IdP - even the RP.
EAP also provides “Channel Bindings” - allowing the IdP to verify
the user is connecting to the RP they think they are.
Rich Identity: SAML
SAML provides a language to describe the properties a user might
have - their role, email address, or name for example.
Moonshot supports SAML, allowing the IdP to give this information
to the RP.
Moonshot Architecture
(1) Credentialing
(3) Authentication
(5) Attributes
(6) SSH session
(2) SSH negotiation
SSH client
(4) RADIUS
SSH server
RADIUS server
OpenSSH used as example of application; many others also apply
13
Scaling
•Moonshot brings together a number of technologies:
– GSS - a common interface between applications and services
– RadSec - Secure AAA Transport
– EAP - Protection for credentials
– SAML - Rich identity information
•How can these technologies be scaled for use beyond a single
institution?
Scaling: The Trust Router
The trust router uses the
concept of a “Web of Trust” to
find a trusted path to a
resource.
You don’t necessarily trust the
person holding the resource but you do trust the judgement
of someone that can vouch for
them.
Scaling: The Trust Router
University of
Camford
Janet
Internet2
Oxfordshire
NHS Trust
Jisc
Collections
Blue Book
Publishing
Inc.
Scaling: The Trust Router
Moonshot and Trust Router Architecture
Relying
Party
Session
GSS
EAP
RP
Proxy
RadSec
EAP
Access-Accept
Client
TPQT.I.
RadSec
Access-Accept
Trust
Router
Trust
Router
Temporary Identity
IdP
Proxy
Trust
Router
Using Moonshot: UX
[This slide intentionally left blank.]
Using Moonshot: UX
Using Moonshot: Why?
•Enhanced UX and privacy
– Improved SSO: users can access more resources more easily
•No credential management
– Home institution is responsible for provisioning credentials and support
•Fine-grained security policies with minimal effort
•Reduced management overhead
Using Moonshot: Use Cases
•Primarily Janet is supporting research users
•Strong demand from local and central government, health,
education and research for a federated desktop experience
– Many desktops in these institutions run Windows
– Janet’s SSPI provides this functionality already, but UX could be improved
even further by tighter integration
Using Moonshot: Use Cases
“We aim to streamline access
services using Moonshot
technology, which will take the
burden of authentication out of
the hands of our users.”
-- Dr Peter Oliver, Group Leader
Science and Technology Facilities Council
Using Moonshot: Use Cases
“Moonshot is a valuable enabler
for Cancer Research across the
UK. It will make collaboration
systems easy to build internally so
that we can quickly share large
data sets ,between institutes
without complicating the
management of that system.”
-- Peter Maccallum, Head of IT & Scientific
Computing
CRUK Cambridge Research Institute
Using Moonshot: Use Cases
“Moonshot technology will give our
university a better means of
cooperating for research purposes
using High Performance
Computing”
-- Alex Brulo, Senior Server Engineer (HPC)
Aston University
Using Moonshot: How
•Anything that understands GSS or Kerberos can already support
Moonshot.
•Web based applications will be able to implement the Moonshot
web plugin.
•Non web applications - integrate GSS, SASL or SSPI directly.
– Doing this will mean that it will work with not just Moonshot, but
Kerberos/Active Directory, and more
Janet’s Moonshot Pilot
Moonshot Pilot Service
•To assist pilot sites in implementing Moonshot to solve
real use cases.
•To fully test Janet support and infrastructure operations.
•To develop, test & refine documentation, training and
policies.
•To inform and shape the business case for a full
production service.
Janet Pilot Sites
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
London Research Institute
Norfolk County Council
Loughborough University
Swansea University
Newcastle University
QCIF (also working with
Monash Uni)
Deutsches ElektronenSynchrotron
Universidade do Porto
University of Leicester
Georgia Tech
University of Leeds
University of Nottingham
Universidade Lusofona
University of Westminster
CANARIE Inc..
London Metropolitan
University
• Francis Crick Institute
• E2BN (East of England
RBC)
• University of Edinburgh
• Research Data, ISD, UCL
• Queen Mary, University of
London
• Wellcome Trust Sanger
Institute
• GSI Darmstadt
• University of Liverpoo
• l University of Kent
• University of Glasgow
• University of Cambridge
• University for the Creative
Arts
• Cardiff University and
LIGO Scientific
Collaboration
• University of Leicester
• STFC
• Brunel University
• Harper Adams University
• University of Huddersfield
• University of Southampton
• Brunel University
• Coleg Sir Gar
• University of Sussex
• University of Exeter
• University of South
Australia
• Arkivum
• Microsoft
GÉANT GN3+ MOONSHOT PILOT
GN3+ Pilot
2 year project to implement an eduGAIN pilot service to:
• investigate the peering requirements between different
NREN Trust Router infrastructures;
• promote uptake of a standard non-web SSO solution
across eduGAIN members;
• implement non-web SSO for specific user-defined
problems;
• establish a policy framework within eduGAIN for pilot
Communities of Interest
Janet
RedIRIS
RENATER
GN3+
NORDUnet
(CSC)
NIIFI
SWITCH
CESNET
CARNet
Further Information
Moonshot Community website:
• https://community.ja.net/groups/moonshot
Software:
• https://community.ja.net/groups/moonshot/wiki/getting-startedmoonshot-using-live-dvd
Standards:
• https://tools.ietf.org/wg/abfab
THANK YOU
Janet, Lumen House
Library Avenue, Harwell Oxford
Didcot, Oxfordshire
t: +44 (0) 1235 822200
f: +44 (0) 1235 822399
e: service@ja.net