Home

FAQ

What is Project Moonshot?
What is Moonshot technology?
What does Moonshot mean for me?
Who is participating in Moonshot?
How can I get involved with Moonshot?
Are JISC and Janet pursuing different Federated Access Management strategies?
Is Janet investing in Moonshot rather than Shibboleth?
Why is Janet doing Moonshot when there is SAML EC?
Where does the name come from?
What do we need to do to deploy this?
How much is this going to cost to deploy?
What has Moonshot been tested on?
What are the use cases for Moonshot?
What is eduroam?


What is Project Moonshot?

Janet’s customers already enjoy the benefits of federated access management to access web-based services through the UK Access Management Federation, and to networks across the world through eduroam. Both cases make use of simplified single sign-on using credentials issued by users’ home organisations. Project Moonshot brings these benefits to many other types of applications.

Specific cases include the use of federated authentication to obtain access to out-sourcing and cloud providers who are increasingly providing services (such as storage, compute, email, calendaring and instant messaging) to the Janet community; the High Performance Computing community who are interested in taking advantage of existing identity and access management infrastructure to improve business continuity and widen access to their facilities; and the Grid Computing community who are interested in enhancing the usability of their services.

Moonshot also provides a novel approach to establishing trust between network hosts and services, which may significantly improve the flexibility, robustness and scalability of federated services, such as eduroam.

In combination these capabilities are expected to enable new opportunities, business models and cost efficiencies.


What is Moonshot technology?

Moonshot is a unifying architecture for federated authentication - a comprehensive solution for Internet trust and identity that will secure access to any service or application.

Moonshot builds on the eduroam technologies:

  • EAP (RFC 3748): strong mutual authentication
  • RADIUS (RFC 2865): federation between domains

To this, Moonshot adds:

  • SAML, for rich authorisation semantics
  • Application integration, using operating system security APIs
    • SSPI: Windows
    • GSS-API (RFC 2078): Other operating systems
    • SASL (RFC 4422): Windows and other operating systems

This architecture is being standardised within the IETF Application Bridging for Federated Access Beyond web (Abfab) working group (http://tools.ietf.org/wg/abfab).


What does Moonshot mean for me?

Moonshot will enable new opportunities, business models and cost efficiencies. It will deliver a comprehensive, coherent and consistent infrastructure for Trust & Identity for the entire education & research community that will have many benefits for users, institutions and service providers.

  • Users: Users will benefit from the ability to sign-on using one or more identities to all applications and services that support the technology: desktop, network, web and cloud. Using an “identity selector”, users will be able to easily control and assert their identities to these services, without the usability challenges (such as “identity provider discovery” and “multiple affiliations” problems) associated with contemporary technologies.
  • Institutions: Moonshot will enable users to easily access a broad range of services using a single mechanism, irrespective of who is delivering them: the user’s institution; a cloud provider; collaborator; a business partner; etc. This will increase the usability of these services and reduce the effort required to support different authentication technologies and credentials for different services. Moonshot builds on prior investments made in federated access management and by expanding its use to a greater range of applications yields a greater return on this investment.
  • Service Providers: Moonshot enables new types of services to enjoy the benefits of SAML-based federated access management. These include lower helpdesk costs and easier compliance with data protection legislation. It addresses or mitigates the usability challenges associated with contemporary technologies (such as “identity provider discovery” and “multiple affiliations” problems) by providing a user-friendly and manageable system for selecting an identity.


Who is participating in Moonshot?

Project Moonshot is led by Janet in collaboration with NORDUNET, RESTENA, CESNET and REDIRIS through collaboration in GÉANT.

The Moonshot project team has engaged with a number of audiences, such as the wider European and global Research and Education networking communities and commercial vendors and open source communities that are interested in using the technologies within their products and services.
The Moonshot project team is working with collaborators across the world within the Internet Engineering Task Force to standardise the technology. The standardisation process is making good progress and the core specifications are scheduled to be completed during 2012.


How can I get involved with Moonshot?

There are many ways to participate in Project Moonshot:

  • The moonshot-community mailing list is a developer-focused mailing list for those developing and using the Moonshot implementation.
  • The IETF's ABFAB working group is standardising the technology. Anyone may participate in this working group by joining its mailing list.
  • There is a Moonshot jabber chat room at moonshot@groupchat.nordu.net where developers discuss ongoing work.
  • Come to a meeting where Moonshot is being discussed.

To test Moonshot in a pre-production environment, instructions are available onthe Moonshot Wiki.


Are JISC and Janet pursuing different Federated Access Management strategies?

No, JISC and Janet are not pursuing different strategies; Moonshot and contemporary web-focused federations are complementary rather than competitive because Moonshot is addressing the non-web single sign-on use cases.

The Moonshot technology builds on investments made in eduroam and Shibboleth. Moonshot exploits the synergies created by converging these approaches.


Is Janet investing in Moonshot rather than Shibboleth?

Janet is not investing in Moonshot instead of Shibboleth; rather, it is investing in a new technology that coexists and builds on Shibboleth. Janet is ensuring that Moonshot will connect to existing Shibboleth infrastructure to ease campus deployment and administrative workload.

Additionally, as a network services company, Janet is committed to the development and deployment of effective middleware services to its users that are linked to the use and exploitation of the network.


Why is Janet doing Moonshot when there is SAML EC?

SAML EC is an alternative approach to non-web single sign-on that, being based on SAML and GSS-API, shares a similar technical approach to Moonshot. However, it does not address Janet’s customer requirements as comprehensively as Moonshot; for example, it does not provide a network access authentication mechanism. It also lacks an easily extensible authentication framework - an issue that may impede the use of future authentication innovations (such as biometrics).


Where does the name come from?

The name ‘Moonshot’ came about from a discussion on the REFEDS mailing list in October 2009 in which Scott Cantor said:

“[I]f you go for a complete client stack revamp [...] then I would shoot for the moon.”


What do we need to do to deploy this?

The Moonshot software is not yet recommended for production use; however it is suitable for pre-production testing. The software is expected to be ready for production use in Q1 2012.

If you already participate in eduroam and the UK federation then you may already have a RADIUS and Shibboleth Identity Provider needed by Moonshot. Some configuration work will be required to connect these systems together. The Moonshot plug-in and Identity Selector will need to be installed on your users’ devices.

An experimental plug-in and Identity Selector appropriate for pre-production testing is now available for Windows, Linux and the Mac. The software is expected to be ready for production use in Q1 2012.


How much is this going to cost to deploy?

Cost estimates will be available following the Janet Moonshot Technical Pilot that is due to complete in Q2 2012. For an organisation that already has a RADIUS server and Shibboleth Identity Provider, the costs will be largely a function of the configuration work needed to connect these; installation of the Moonshot plug-in and Identity Selector on users’ devices; and training and documentation.


What has Moonshot been tested on?

Tested examples include:

  • Outlook 2010 against Exchange 2010
  • Internet Explorer 7 against Apache & Microsoft IIS
  • Windows desktop authentication
  • Linux console authentication using PAM
  • OpenSSH client & PuTTY against OpenSSH server
  • OpenLDAP client against OpenLDAP server & Active Directory
  • Firefox against Apache
  • MyProxy client against MyProxy server
  • Adium against Jabberd


What are the use cases for Moonshot?

The primary motivating use cases for Moonshot are summarised below.

Use-case 1: Out-sourcing & “Cloud”

Organisations increasingly want to reduce costs by out-sourcing commodity services to third party service providers and use their own managed identities to provide single sign-on and enable conformance to data protection legislation.

SAML provides this for web-based services, but not other types of non-web services (IMAP, POP3, SMTP, CalDAV, etc) and although identity provisioning APIs exist, they’re typically not appropriate.

Use-case 2: High Performance Computing

Moonshot can

  • Improve Business Continuity by federating access to HPC facilities.
  • Allow for HPC-as-a-service to be offered to external customers.
  • Reduce costs incurred in operating HPC-specific authentication services.
  • Provide a better user experience.

Use-case 3: Grid infrastructure

Some users find certificates difficult to manage.

Moonshot can enable:

  • Federated access to Grid resources.
  • Authentication using certificate or non-certificate credentials.
  • Authorisation using attributes (e.g. for virtual organisations).


What is eduroam?

eduroam is a secure, world-wide roaming access service developed for the international research and education community. eduroam enables Janet-connected organisations to offer high quality secure network services for visitors without the need for guest account management. Visitors use their home organisation username and password to gain access to the Internet and home organisation remote access services, such as VPN, webmail etc.
When a user tries to log on to the network of a visited eduroam-enabled institution, the user's authentication request is sent to the user's home institution via a hierarchical system of RADIUS servers. The user's home institution verifies the user's credentials and via the RADIUS servers, sends the result of the verification to the visited institution.

eduroam(UK) offers the Janet community some additional features over the international version of eduroam: find out more at theJanet Roaming home page.