Last updated: 
1 month 15 hours ago
Group Manager
Project Moonshot is a Janet-led initiative, in partnership with the GÉANT project and others, to develop a single unifying technology for extending the benefits of federated identity to a broad range of non-Web services, including Cloud infrastructures, High Performance Computing & Grid infrastructures and other commonly deployed services including mail, file store, remote access and instant messaging. The goal of the technology is to enable the management of access to a broad range of services and applications, using a single technology and infrastructure. This is expected to significantly improve the delivery of these services by providing users with a common single sign-on, for both internal and external services. Service providers will be able to more easily offer their services to users from other organisations using a single common authentication mechanism. This will enhance the user’s experience, and reduce costs for those organisations supporting users, and delivering services to them. This group is for community of Moonshot users, whether you're new to the technology, you're currently evaluating and getting to grips with it, or you've deployed it. For the list of guidance available about Moonshot within this group, see the Start Here wiki page. Jisc Assent, the production service underpinned by the Moonshot technology, went live on 25th March 2015. For information on, or to join the Jisc Assent service, please visit http://www.jisc.ac.uk/assent

Error message

  • Notice: Undefined index: ja.netprod-jisc-memcache_storage_bin_indexes in MemcacheStorageAPI::getMultiple() (line 236 of /var/www/html/sites/all/modules/contrib/memcache_storage/memcache_storage.api.inc).
  • Notice: Undefined index: ja.netprod-jisc-cache_bootstrap_1-variables in MemcacheStorageAPI::getMultiple() (line 236 of /var/www/html/sites/all/modules/contrib/memcache_storage/memcache_storage.api.inc).

FAQ

6 September 2013 at 5:06pm

What is Project Moonshot?

What is Moonshot technology?

What does Moonshot mean for me?

Who is participating in Moonshot?

How can I get involved with Moonshot?

Why is Janet doing Moonshot when there is SAML EC?

Where does the name come from?

What do we need to do to deploy this?

How much is this going to cost to deploy?

What has Moonshot been tested on?

What are the use cases for Moonshot?

What is eduroam?

What is Project Moonshot?

Janet’s customers already enjoy the benefits of federated access management to access web-based services through the UK Access Management Federation, and to networks across the world through eduroam. Both cases make use of simplified single sign-on using credentials issued by users’ home organisations. Project Moonshot brings these benefits to many other types of applications.

Specific cases include the use of federated authentication to obtain access to out-sourcing and cloud providers who are increasingly providing services (such as storage, compute, email, calendaring and instant messaging) to the Janet community; the High Performance Computing community who are interested in taking advantage of existing identity and access management infrastructure to improve business continuity and widen access to their facilities; and the Grid Computing community who are interested in enhancing the usability of their services.

Moonshot also provides a novel approach to establishing trust between network hosts and services, which may significantly improve the flexibility, robustness and scalability of federated services, such as eduroam.

In combination these capabilities are expected to enable new opportunities, business models and cost efficiencies.

What is Moonshot technology?

Moonshot is a unifying architecture for federated authentication - a comprehensive solution for Internet trust and identity that will secure access to any service or application.

Moonshot builds on the eduroam technologies:

  • EAP (RFC 3748): strong mutual authentication
  • RADIUS (RFC 2865): federation between domains

To this, Moonshot adds:

  • SAML, for rich authorisation semantics
  • Application integration, using operating system security APIs
    • SSPI: Windows
    • GSS-API (RFC 2078): Other operating systems
    • SASL (RFC 4422): Windows and other operating systems

This architecture is being standardised within the IETF Application Bridging for Federated Access Beyond web (ABFAB) working group (http://tools.ietf.org/wg/abfab).

What does Moonshot mean for me?

Moonshot will enable new opportunities, business models and cost efficiencies. It will deliver a comprehensive, coherent and consistent infrastructure for Trust & Identity for the entire education & research community that will have many benefits for users, institutions and service providers.

  • Users: Users will benefit from the ability to sign-on using one or more identities to all applications and services that support the technology: desktop, network, web and cloud. Using an “identity selector”, users will be able to easily control and assert their identities to these services, without the usability challenges (such as “identity provider discovery” and “multiple affiliations” problems) associated with contemporary technologies.
  • Institutions: Moonshot will enable users to easily access a broad range of services using a single mechanism, irrespective of who is delivering them: the user’s institution; a cloud provider; collaborator; a business partner; etc. This will increase the usability of these services and reduce the effort required to support different authentication technologies and credentials for different services. Moonshot builds on prior investments made in federated access management and by expanding its use to a greater range of applications yields a greater return on this investment.
  • Service Providers: Moonshot enables new types of services to enjoy the benefits of SAML-based federated access management. These include lower helpdesk costs and easier compliance with data protection legislation. It addresses or mitigates the usability challenges associated with contemporary technologies (such as “identity provider discovery” and “multiple affiliations” problems) by providing a user-friendly and manageable system for selecting an identity.

Who is participating in Moonshot?

Project Moonshot is led by Janet in collaboration with NORDUNET, RESTENA, CESNET and REDIRIS through collaboration in GÉANT.

The Moonshot project team has engaged with a number of audiences, such as the wider European and global Research and Education networking communities and commercial vendors and open source communities that are interested in using the technologies within their products and services.

The Moonshot project team is working with collaborators across the world within the Internet Engineering Task Force to standardise the technology. The standardisation process is making good progress and the core specifications are approaching completion in the IETF ABFAB Working Group (see below).

Janet is also leading a Moonshot subtask within the GÉANT GN3plus project. More information can be found at https://community.ja.net/groups/moonshot/article/moonshot-g%C3%A9ant-gn3plus

How can I get involved with Moonshot?

There are many ways to participate in Project Moonshot:

  • The moonshot-community mailing list is a developer-focused mailing list for those developing and using the Moonshot implementation.
  • The IETF's ABFAB working group is standardising the technology. Anyone may participate in this working group by joining its mailing list.
  • There is a Moonshot jabber chat room at moonshot@groupchat.nordu.net where developers discuss ongoing work.
  • Come to a meeting where Moonshot is being discussed.

To test Moonshot in a pre-production environment, instructions are available on the Moonshot Wiki.

Janet launched an 18 month Moonshot Service Pilot on 2 April 2013. To find out more, please visit https://www.ja.net/products-services/janet-futures/moonshot?qt-project_page_quicktab=2#qt-project_page_quicktab where you will find a document outlining the requirements. Registration for the initial tranche of pilot sites has now closed, but if you are interested in participating in a subsequent tranche please let us know. 

Why is Janet doing Moonshot when there is SAML EC?

SAML EC is an alternative approach to non-web single sign-on that, being based on SAML and GSS-API, shares a similar technical approach to Moonshot. However, it does not address Janet’s customer requirements as comprehensively as Moonshot; for example, it does not provide a network access authentication mechanism. It also lacks an easily extensible authentication framework - an issue that may impede the use of future authentication innovations (such as biometrics).

Where does the name come from?

The name ‘Moonshot’ came about from a discussion on the REFEDS mailing list in October 2009 in which Scott Cantor said:

“[I]f you go for a complete client stack revamp [...] then I would shoot for the moon.”

What do we need to do to deploy this?

If you already participate in eduroam and the UK federation then you may already have a RADIUS and SAML Identity Provider needed by Moonshot. Some configuration work will be required to connect these systems together. The Moonshot plug-in and Identity Selector will need to be installed on your users’ devices.

A  plug-in and Identity Selector appropriate for pre-production testing is now available for Windows, Linux and the Mac. 

You can download the latest Moonshot code by following the links at https://community.ja.net/groups/moonshot/article/moonshot-dvd-image-and-code-update 

How much is this going to cost to deploy?

For an organisation that already has a RADIUS server and Shibboleth Identity Provider, the costs will be largely a function of the configuration work needed to connect these; installation of the Moonshot plug-in and Identity Selector on users’ devices; and training and documentation.

What has Moonshot been tested on?

Tested examples include:

  • Outlook 2010 against Exchange 2010
  • Internet Explorer 7 against Apache & Microsoft IIS
  • Windows desktop authentication
  • Linux console authentication using PAM
  • OpenSSH client & PuTTY against OpenSSH server
  • OpenLDAP client against OpenLDAP server & Active Directory
  • Firefox against Apache
  • MyProxy client against MyProxy server
  • Adium against Jabberd

What are the use cases for Moonshot?

The primary motivating use cases for Moonshot are summarised below.

Use-case 1: Out-sourcing & “Cloud”

Organisations increasingly want to reduce costs by out-sourcing commodity services to third party service providers and use their own managed identities to provide single sign-on and enable conformance to data protection legislation.

SAML provides this for web-based services, but not other types of non-web services (IMAP, POP3, SMTP, CalDAV, etc) and although identity provisioning APIs exist, they’re typically not appropriate.

Use-case 2: High Performance Computing

Moonshot can

  • Improve Business Continuity by federating access to HPC facilities.
  • Allow for HPC-as-a-service to be offered to external customers.
  • Reduce costs incurred in operating HPC-specific authentication services.
  • Provide a better user experience.

Use-case 3: Grid infrastructure

Some users find certificates difficult to manage.

Moonshot can enable:

  • Federated access to Grid resources.
  • Authentication using certificate or non-certificate credentials.
  • Authorisation using attributes (e.g. for virtual organisations).

Four case studies illustrating some of these use cases can be found at https://community.ja.net/groups/moonshot/article/case-studies.

What is eduroam?

eduroam is a secure, world-wide roaming access service developed for the international research and education community. eduroam enables Janet-connected organisations to offer high quality secure network services for visitors without the need for guest account management. Visitors use their home organisation username and password to gain access to the Internet and home organisation remote access services, such as VPN, webmail etc. When a user tries to log on to the network of a visited eduroam-enabled institution, the user's authentication request is sent to the user's home institution via a hierarchical system of RADIUS servers. The user's home institution verifies the user's credentials and via the RADIUS servers, sends the result of the verification to the visited institution.

eduroam(UK) offers the Janet community some additional features over the international version of eduroam: find out more at the eduroam(UK) page: http://www.ja.net/eduroam