Moonshot - Rhys Smith

1,217 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,217
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Moonshot - Rhys Smith

  1. 1. Moonshot: What is it, and what does it mean for you? Rhys Smith Cardiff University & JANET(UK)1 © JANET(UK) 2011
  2. 2. Agenda1. Federated Identity today2. What is Moonshot3. How does Moonshot work?4. Moonshot and You1. Moonshot today2 © JANET(UK) 2011
  3. 3. Federated Identity Today3 © JANET(UK) 2011
  4. 4. First, an Observation:4 © JANET(UK) 2011
  5. 5. Federated Identity is good• Well accepted by now? – Reduces credentialing overhead for services – Reduces credential management for users – Increases security due to increased applicability of home credentials – Etc• Now that’s done, let’s get on with the interesting bit!5 © JANET(UK) 2011
  6. 6. However:6 © JANET(UK) 2011
  7. 7. Federated Identity today is fragmented• Today’s implementation of federated identity is collection of technologies with different: – Aims & Objectives – Technical capabilities – Management overhead – Policy requirements and overhead7 © JANET(UK) 2011
  8. 8. Federated Identity today is fragmented• For example: – Federated Network Authentication • Builds on 802.1X / EAP – RADIUS – DIAMETER8 © JANET(UK) 2011
  9. 9. Federated Identity today is fragmented• For example: – Application Authentication • HTTP based protocols – SAML – Liberty – OpenID / OAUTH – Facebook Connect9 © JANET(UK) 2011
  10. 10. What does this mean for you?• Organisations have to: – Sign up to multiple policies – Manage different federated technologies separately• Unnecessary overhead for things which are conceptually the same?• Also – no federated authentication to non-web applications/protocols10 © JANET(UK) 2011
  11. 11. What is Moonshot?11 © JANET(UK) 2011
  12. 12. Moonshot is a unifying architecture for federation• Comprehensive Solution for internet trust and Federated Identity12 © JANET(UK) 2011
  13. 13. Moonshot is a unifying architecture for federation• Vision – A unified approach – For securing access to any service or application – Enabling new opportunities, business models and cost efficiencies.13 © JANET(UK) 2011
  14. 14. Moonshot is a unifying architecture for federation• Builds on existing deployed technologies – Mature common operating system security APIs • GSS-API / SSPI / SASL • (Kerberos is an example of a GSS-API implementation) – Mature RADIUS / EAP technology • (5 billion cellphones can’t be wrong!) – Mature SAML technology14 © JANET(UK) 2011
  15. 15. Moonshot is a unifying architecture for federation• Builds on existing investments: – Eduroam & UK federation – Both highly successful at what they do – Both deployed and used heavily – (Both limited in scope)• Note: Builds on, not replaces. Moonshot is complimentary to these services, not competitive15 © JANET(UK) 2011
  16. 16. That was all a bit abstract… Seriously now, what is Moonshot?16 © JANET(UK) 2011
  17. 17. Moonshot enables federated authentication to any application, anytime, anywhere• Federated authentication for your users to any application that supports these common operating system security APIs – Which is many! – (Many applications that support Kerberos will work with zero or trivial changes)17 © JANET(UK) 2011
  18. 18. Gratuitous Screenshots:18 © JANET(UK) 2011
  19. 19. 19 © JANET(UK) 2011
  20. 20. 20 © JANET(UK) 2011
  21. 21. 21 © JANET(UK) 2011
  22. 22. 22 © JANET(UK) 2011
  23. 23. 23 © JANET(UK) 2011
  24. 24. Moonshot enables federated authentication to any application, anytime, anywhere• Tested examples include: – OpenSSH client & PuTTY  OpenSSH server (GSS) – OpenLDAP client  OpenLDAP server & AD (GSS) – OpenLDAP client  Windows Active Directory (SSPI) – Firefox  Apache (GSS) – MyProxy client  MyProxy server (SASL) – Adium -> Jabberd (SASL) – Console authentication using PAM (GSS) – Outlook 2010  Exchange 2010 (SSPI)24 © JANET(UK) 2011
  25. 25. How does Moonshot work?25 © JANET(UK) 2011
  26. 26. (1) Credentialing (6) SSH session (5) Authorisation (3) Authentication (2) SSH negotiation (4) RADIUS SSH client SSH server RADIUS server SSH used as example of application; many others also apply26 © JANET(UK) 2011
  27. 27. Best of Both Worlds• Moonshot incorporates: – The authentication strength and flexibility of RADIUS • E.g. eduroam – federated network authentication across 57 countries – The authorisation strength and flexibility of SAML • Express completely arbitrary information about users from IdP to RP27 © JANET(UK) 2011
  28. 28. Moonshot and You28 © JANET(UK) 2011
  29. 29. Moonshot typically requires little or no extra infrastructure• If you already do eduroam and UK federation – You already have a RADIUS and a SAML server – Just update them and do a bit of config to hook them up• Co-exists with existing eduroam and UK federation services29 © JANET(UK) 2011
  30. 30. Existing infrastructure RADIUS SAML server server30 © JANET(UK) 2011
  31. 31. Infrastructure for moonshotMoonshot RADIUS SAML server server 31 © JANET(UK) 2011
  32. 32. Moonshot typically requires little or no extra infrastructure• …plus a client piece on your users’ devices – Moonshot libraries – Identity Selector• Linux and Mac today• Windows Q1 201232 © JANET(UK) 2011
  33. 33. Moonshot today33 © JANET(UK) 2011
  34. 34. Current status• Software almost complete• Ready for pre-production testing• JANET Moonshot Technology Pilot started• IETF standardisation in progress• Co-ordination with International partners (e.g. Internet2, SURFnet, etc)• Plans for native Windows integration Q1 201234 © JANET(UK) 2011
  35. 35. Future plans• Possible expansion of scope of Technology Pilot in April 2012, if customer feedback is positive• Continue working with operating system vendors to improve and incorporate Moonshot support• Continue working with JANET community to understand customer requirements and inform development35 © JANET(UK) 2011
  36. 36. A Quick Summary… Moonshot presents a unifying architecture for federation Moonshot enables federated authentication to any application, anytime, anywhere Moonshot typically requires little or no extra infrastructure36 © JANET(UK) 2011
  37. 37. Any Questions?37 © JANET(UK) 2011

×