290 likes | 572 Views
Project Moonshot. Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki. Project Moonshot. Background. Why Janet?. Trusted provider of mission-critical network services to the UK education & research community Expertise in developing and operating AAI
E N D
Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki
Project Moonshot Background
Why Janet? • Trusted provider of mission-critical network services to the UK education & research community • Expertise in developing and operating AAI • Demand from both internal and external customers
Vision To deliver a unified approach for securing access to any service or application– enabling new opportunities, business models and cost efficiencies.
Project Moonshot Use cases
Science & Technology Facilities Council • Operates the UK’s National Grid Service • X.509 authentication too complex for users • Goal to simplify authentication across distributed computing Grids “We aim to streamline access services using Moonshot technology, which will take the burden of authentication out of the hands of our users.” Dr Peter Oliver, Group Leader, Science and Technology Facilities Council
Diamond Light Source • The UK’s national synchrotron facility • Piloting the use of Moonshot within the PANDATA project, which supports 30,000 scientists at more than 20 photon and neutron facilities “Moonshot has thought beyond websites, and looked at what is really required in authentication – right down to the point when you open your laptop to begin work.” Bill Pulford, Head of DASC, Diamond Light Source
Cancer Research UK • Cancer Research UK is the world’s leading charity dedicated to beating cancer through research. • The institutes form ad hoc relationships to collaborate for research purposes, but when the need arises to share data and documents, each institute can only authenticate within their own organisation. “Moonshot is a valuable enabler for Cancer Research across the UK. It will make collaboration systems easy to build internally so that we can quickly share large data sets between institutes, without complicating the management of that system.” Peter Maccallum, Head of IT & Scientific Computing, CRUK Cambridge Research Institute
Janet Brokerage • Work with the community and suppliers to provide solutions based on IT as a service, facilitating the uptake of data centre, hosted and cloud services. • Create efficiencies and cost savings • Accelerate and improve services and add value • Reduce risk in adopting new services • Address technical and business questions • Create a competitive market based on sound technical platforms
Moonshot& Hosted Exchange PoC • A number of Universities running student but not staff email due to privacy issues • Create a hosted Exchange with Moonshot components integrated • Creates an interesting usage model for suppliers and users • Sets an example to the two major cloud providers
Some key challenges • Federated authentication for web and other applications • Different deployment models: centralised, distributed & cloud (private, public& hybrid). • Need to easily use different types of credentials • Federated authentication to workstations, not just apps • Massive scale – at least tens of millions of entities
Project Moonshot Technology overview
Underlying technologies • Moonshot builds on the eduroam technologies • EAP (RFC 3748): strong mutual authentication • RADIUS (RFC 2865): federation between domains • To this, Moonshot adds • SAML, for rich authorisation semantics • Application integration, using operating system security APIs • SSPI: Windows • GSS-API (RFC 2078): Other operating systems • SASL (RFC 4422): Windows and other operating systems • This architecture is being standardised within the IETF Abfab working group
Architecture (1) Credentialing (5) Attributes (3) Authentication (6) SSH session SSH client SSH server RADIUS server (2) SSH negotiation (4) RADIUS OpenSSH used as example of application; many others also apply
Deployment requirements • Most HE organisations are nearly Moonshot-ready today • RADIUS authentication server at user organisation • Any RADIUS product should support pre-production testing today • Option to integrate RADIUS server with Shibboleth IdP • Logical connection to national RADIUS infrastructure • Already implemented in most cases (shared with eduroam) • Moonshot client and server plug-in • Linux: packaging available for Debian&RHEL; Scientific Linux soon • Windows: native support using prototype plugin • Mac: Packaging almost complete for Snow Leopard and Lion
Application integration • Most modern applications use at least one of the security APIs supported by Moonshot • Correctly written applications will ‘just work’ without modification or recompilation • Less correctly written applications may require minor source modifications
Examples of other tested scenarios • OpenSSH client OpenSSH server (GSS) • OpenLDAP client OpenLDAP server (GSS) • OpenLDAP client (GSS) Windows Active Directory (SSPI) • Firefox Apache (GSS) • Internet Explorer IIS (SSPI) • MyProxy client MyProxy server (SASL) • Adium Jabberd (SASL) • Console authentication using PAM on Linux (GSS) and SSPI on Windows
Project Moonshot Technology pilot
Janet Moonshot Technology Pilot Goals • To test the suitability of the Moonshot technology for deployment, focusing on e-Research use cases • To identity what further work is needed to support the wider community’s use of the technology • To plan, implement or support this additional work
Current status • Pilot operating using Janet’s eduroam infrastructure • Software ready for pre-production testing • Production-quality environment due Q1 2012 • IETF standardisation approaching completion • On-going discussions with OS and application vendors
Conclusions • Next generation federation technology that meets the needs of advanced use cases • Builds on widely deployed infrastructure (RADIUS & SAML) and operating system extensibility • Cross-platform implementation ready for pre-production testing • Correctly written applications ‘just work’ • Architecture being standardised within IETF • Janet will review progress of Technology Pilot in 2012 Q2, and consider a formal offering to its customers in the future
Project Moonshot Q & A