Download presentation
Presentation is loading. Please wait.
Published byDarby Yarbough Modified over 10 years ago
1
Project Moonshot February 2012
2
Background Project Moonshot 2
3
Why Janet? Janet is a trusted provider of mission-critical network services to the UK education & research community Janet has significant expertise in developing and operating federated authentication & authorisation infrastructure (AAI) On the basis of this experience and customer demand, we decided that existing federation solutions were not sufficient 3
4
Three solutions for a similar problem… 4 eduroam service Based on RADIUS technology Typically for making security claims for network single sign-on Identity federation Based on SAML technology Typically for making security claims for web single sign-on Certificate service Based on X.509 technology Typically for making security claims for SSL-based applications
5
Federated identity is fragmented… Today’s implementations of federated identity are a collection of technologies with different Aims & objectives Technical infrastructures & capabilities Policy requirements & overheads 5
6
Not a great customer experience… Customers have to sign up to multiple policies and manage multiple federation technologies Significant overhead for activities that are conceptually similar, imposing unnecessary costs “I can only afford to implement eduroam or UK federation; which should I do?” – Janet customer Three completely different technologies – and still no solution for many key customer use cases! 6
7
Moonshot goals Lower the barriers to business between our customers Reduce the cost and time to market for new services Drive down operational costs for both Janet and our customers 7
8
Moonshot vision “To deliver a unified approach for securing access to any service or application Enabling new opportunities, business models and cost efficiencies” 8
9
Use cases Project Moonshot 9
10
Grid computing @ STFC STFC operates the UK’s National Grid Service Existing X.509 authentication is too complex for users Goal to simplify authentication across distributed computing Grids “We aim to streamline access services using Moonshot technology, which will take the burden of authentication out of the hands of our users.” Dr Peter Oliver, Group Leader, Science and Technology Facilities Council 10
11
Console access @ Diamond Light Source The UK’s national synchrotron facility Piloting Moonshot within the PANDATA project, which supports 30,000 scientists at 20+ photon and neutron facilities Federated access needed to physical and remote (SSH) consoles “Moonshot has thought beyond websites, and looked at what is really required in authentication – right down to the point when you open your laptop to begin work.” Bill Pulford, Head of DASC, Diamond Light Source 11
12
Sharing data @ Cancer Research UK Cancer Research UK is the world’s leading charity dedicated to beating cancer through research. The institutes form ad hoc relationships to collaborate for research purposes, but when the need arises to share data and documents, each institute can only authenticate within their own organisation. “Moonshot is a valuable enabler for Cancer Research across the UK. It will make collaboration systems easy to build internally so that we can quickly share large data sets between institutes, without complicating the management of that system.” Peter Maccallum, Head of IT & Scientific Computing, CRUK Cambridge Research Institute 12
13
Cloud services @ Janet Brokerage The Janet Brokerage works with the community and suppliers to provide solutions based on ‘IT as a service’, facilitating the uptake of data centre, hosted and cloud services Create efficiencies and cost savings Accelerate and improve services and add value Reduce risk in adopting new services Address technical and business questions Create a competitive market based on sound technical platforms 13
14
The main challenges from our customers Extend the use of federated identity to all network-connected systems, applications and services Support any deployment model: centralised, distributed & cloud Enable the use of any kind of authentication credential Supersize it! Enable this for millions of system entities and users 14
15
Technology overview Project Moonshot 15
16
Moonshot technologies Moonshot builds on the eduroam technologies EAP (RFC 3748): strong mutual authentication RADIUS (RFC 2865): federation between domains To this, Moonshot adds SAML, for rich authorisation semantics Integration using operating system security APIs SSPI: Windows GSS-API (RFC 2078): Other operating systems SASL (RFC 4422): Windows and other operating systems 16
17
Deployment requirements Most Higher Education organisations are nearly Moonshot-ready today A connection to eduroam A RADIUS server (any modern RADIUS product should support pre- production testing today). There is also an experimental capability to integrate FreeRADIUS with the Shibboleth IdP Moonshot client and server plug-in Linux: packaging available for Debian & RHEL; Scientific Linux soon Windows: native support using prototype plugin Mac: Packaging almost complete for Snow Leopard and Lion Moonshot Identity Selector to facilitate the selection of an identity to use, for GUI environments (Windows, Mac & Linux) 17
18
Architecture 18 SSH clientSSH serverRADIUS server (2) SSH negotiation(4) RADIUS (3) Authentication (1) Credentialing (5) Attributes (6) SSH session OpenSSH used as example of application; many others also apply
19
Application support Most modern applications use at least one of the security APIs supported by Moonshot Correctly written applications will ‘just work’ without modification or recompilation Less correctly written applications may require minor modifications Project Moonshot is testing applications and sending patches upstream 19
20
PuTTY OpenSSH 20
21
21 IE Apache
22
22 Outlook 2010 Exchange 2010
23
Examples of other tested scenarios OpenSSH client OpenSSH server (GSS) OpenLDAP client OpenLDAP server (SASL) OpenLDAP client (GSS) Windows Active Directory (SSPI) Firefox Apache (GSS) Internet Explorer IIS (SSPI) MyProxy client MyProxy server (SASL) Adium Jabberd (SASL) Console authentication using PAM/GSS on Linux and SSPI on Windows 23
24
Standardisation The architecture is currently being standardised within the IETF’s ‘Abfab’ working group See https://datatracker.ietf.org/wg/abfab for documentshttps://datatracker.ietf.org/wg/abfab The key documents are draft-ietf-abfab-arch describing the high-level architecturedraft-ietf-abfab-arch draft-ietf-abfab-gss-eap describing the core “GSS EAP” technologydraft-ietf-abfab-gss-eap draft-ietf-abfab-aaa-saml describing the use of SAMLdraft-ietf-abfab-aaa-saml
25
Get involved! The project is Janet-led initiative, with contributions from GÉANT and others http://www.project-moonshot.org/using describes installing, configuring and using Moonshot. An installable Live DVD (Debian-based) is available, in addition to Debian, CENTOS and Scientific Linux packages http://www.project-moonshot.org/using https://www.jiscmail.ac.uk/MOONSHOT-COMMUNITY is our community mailing list https://www.jiscmail.ac.uk/MOONSHOT-COMMUNITY We also have a Jabber room at moonshot@groupchat.nordu.netmoonshot@groupchat.nordu.net
26
Technology pilot Project Moonshot 26
27
Technology pilot goals 1.To test the suitability of the Moonshot technology for deployment, focusing on e-Research use cases 1.To identity what further work is needed to support the wider community’s use of the technology 2.To plan, implement or support this additional work 27
28
Current status Pilot sites connected to Janet’s eduroam infrastructure Software ready for pre-production testing only Production-quality environment due Q1 2012 IETF standardisation approaching completion On-going discussions with OS and application vendors 28
29
Future plans Project Moonshot 29
30
The next six months The primary activities will be Continuation of existing Technology Pilot Improvement and refinement of core software Out-reach to other stakeholders Development the final element needed for a production-ready service Completion of standardisation 30
31
Conclusions Moonshot provides a standardised next-generation identity & trust technology Moonshot builds on widely deployed technologies and infrastructure Moonshot provides a cross-platform implementation ready for pre- production testing Moonshot will provide the trust & identity platform for Janet’s services 31
32
Q & A Project Moonshot 32
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.