Description and Value Proposition

The Moonshot pilot aims to enhance the eduGAIN Web SSO and edurom network SSO services with support for non-web AAI functionality. It has additional benefits in providing the ability to converge multiple SSO infrastructures. The pilot brings together early adopters of this emerging technology and determines the factors necessary for transition to service.

Moonshot builds on deployed, proven technology:

  • Strong authentication used by eduroam (EAP/RADIUS)
  • Strong authorisation used by NREN federations and eduGAIN (SAML)
  • Strong service/application integration used by many major applications (operating system security APIs)

 

Standardisation of this technology is being undertaken within the Internet Engineering Task Force (IETF) – ABFAB WG to ensure that take up and adoption is possible across as broad a market as possible. Moonshot has been developed by JISC as an open source implementation of this, which is fully in line with current EC recommendations.

Phase 1: Initial infrastructure – This phase will encourage/facilitate participant NRENs in implementing a Trust Router architecture or enhancing existing eduroam architecture including the scaling up of international eduroam infrastructure.
Phase 2: Policies and wider roll out - This phase will develop the required Moonshot policies and technical peering requirements to facilitate non-web SSO interfederation. It will also include the development of advice and guidance for NRENs in what is required to implement an NREN-wide Moonshot infrastructure. This work will build on the existing eduGAIN policies.
Phase 3: Use Case implementation – This phase will facilitate the Moonshooting of specific community required services and applications. For example, Moonshooting distributed file systems to support the GRID community.

 

Offering

A GÉANT Moonshot interfederation service will enable education and research users across the world to login to non-web applications and services using their institution credentials. This simplifies their authentication, reducing the complexity of managing additional login credentials and so increases security.
Moonshot solves use cases that have no current deployable federated solution; that have a user experience that can be significantly improved upon; or that have existing deployment models whose cost and effort can be reduced. Examples include:
Convergence of network and application SSO infrastructures
Easy integration to apps such as file transfer, SSH, Openstack, remote desktop
Moonshot capabilities deployed at national level provide the underlying infrastructure. Policy and interfederation aspects are aligned with eduGAIN for a consistent user experience.


Reason to Act

  • Using Moonshot, NRENs are able to lower the barriers to collaboration within their communities; reduce the cost and time to create new services; drive down operational costs for the NREN and their members/customers.
  • Joining a GÉANT Moonshot interfederation service means common policies and governance aligned with eduGAIN, which will reduce the time, effort and cost of dealing with multiple federations on a bilateral basis.
  • Feedback from the international community suggests a GÉANT Moonshot interfederation service would be of value to organisations wishing to obtain secure access to out-sourcing and cloud providers who are increasingly providing services (such as storage, compute, email, calendaring and instant messaging) to the education and research community; the Grid Computing community who are interested in enhancing the usability of their services; and even to the school sector who are interested in federating desktops to enable peripatetic and supply teachers to log on to local networks with federated credentials.


Customer Experience

NRENs are potential deployers of the Moonshot infrastructure.
NREN community users are customers of applications and services that use Moonshot for authentication.
A typical example of the latter is “researchers who want quick and secure access to their data and systems”.

Examples of community users from Janet include HPC consortia, Diamond Light Source and international research groups, many of whom have been expressing interest in Moonshot technology and a desire for a Moonshot service for the past few years. Similar interest has been seen from fellow NRENs.

Moonshot technology has previously been explored by a number of countries, with colleagues from CESNET, RedIRIS, RESTENA and CARNet engaged in the development process and also interest from Internet2 and CANARIE.
NORDUnet (CSC), RENATER, CARNet, SWITCH, NIIFI, CESNET, RedIRIS and Janet all have use cases that they wish to pilot within GN3+ with a view to developing a GÉANT Moonshot interfederation service.


Benefits

Moonshot provides a common interface, to allow users to federate anything and everything.
Security is designed in from the beginning
RadSec - Secure AAA Transport
EAP - Protection for credentials
Ability to convey complex information for authorisation decisions
SAML - Rich identity information
Infrastructure is based on tried and tested technologies proven to scale and already used to deliver NREN production eduroam and identity federations.

Providing an international service simplifies non-web access management for global research groups that span multiple countries.


Costs

Costs to NRENs are mainly in staff resources to implement the technical infrastructure, plus VMs for hosting the infrastructure.
Typical estimate 1 MM to understand and set up Trust Router + 1VM
Skillsets in RADIUS and SAML an advantage, required in pilot stage

Costs to users are in integration work for connecting their applications and are highly dependent on existing skill sets and the complexity of the target application.
Costs can vary from 0.5 days to install the libraries on Exchange Server and test, to 1MM+ to implement on an HPC cluster.

Costs to institutions are to implement some technical infrastructure
Moonshot currently requires a FreeRADIUS server.
Target of 1 MM to set up and configure campus IdP and RADIUS proxy.
Institutions that don’t yet run FreeRADIUS and may lack Linux expertise may require longer to implement.


Alternatives

The EC-funded AAA Study led by TERENA and composed by University of Amsterdam, LIBER and the University of Debrecen provides recommendations for the development and deployment of a Scientific Data e-Infrastructure (SDI) to enable access to heterogonous data for researchers and citizens. Of the current and emerging services reviewed, no other solution has been identified that solves the use cases and meets the customer requirements of Moonshot.

National SAML federations provide a similar service, but these are restricted to web authentication only. Moonshot technology is a candidate to enhance or provide an additional option rather than an alternative.

The CILogon Service (https://cilogon.org) allows users to authenticate with their home organisation and obtain a certificate for secure access to Cyber Infrastructure. The technology translates a SAML token to an x509 certificate to bridge from a web browser to command line and other non web apps, but is not as well developed or as functional as Moonshot. The CILogon Service has support for the SAML Enhanced Client Profile (ECP) for non-browser access. ECP is a SAML v.2.0 profile which allows for the exchange of SAML attributes outside the context of a web browser. Although SAML ECP shares a similar technical approach to Moonshot, it does not address customer requirements as comprehensively as Moonshot does. For example, it does not provide a network access authentication mechanism. It also lacks an easily extensible authentication framework - an issue that may impede the use of future authentication innovations (such as biometrics). There are no known plans for an interfederation SAML ECP service and no consistent deployment footprint.


Advantages

Unlike SAML ECP, which typically has access to a user’s credentials, Moonshot does not.
Moonshot uses technology standards that have been proven to be highly scalable.
Moonshot technology is an implementation of the ABFAB IETF standard.


Engagement
The idea of Moonshot has been socialised for more than three years and the technology has been tested and trialled by a number of institutions in multiple countries.

As the technology and service wrap develops, peer review will help it develop even further.

Development of the GÉANT pilot deployments is explicitly coupled with concrete use cases.

The technologies in Moonshot have been actively developed within the IETF.

Moonshot End of Life Statement

Following a recent service evaluation and a GÉANT member survey, GÉANT decided not to develop the Moonshot technology forward into a full, inter-federated production service offering as originally planned. The most recent Moonshot pilots to evaluate the technology in previous projects were successful, proving the software works as intended and enables federated access to non-web applications. However, despite this major benefit a subsequent post-pilot survey revealed low levels of intent for near-term uptake of Moonshot by federations.

A refocusing of Moonshot technology use in GÉANT was planned as follows:

  • Repurpose old pilot infrastructure to function as a demo system for communities and integrate with Jisc Assent upstream.
  • Work with Umbrella (Synchrotron community) and other interested parties to determine what would be needed for a community-specific service, and enhance the demo setup accordingly.
  • Consider integrating Moonshot as a supported eduTEAMS service environment for advanced eduTEAMS on a per-community basis.

 

 

  • No labels