1 / 9

Moonshot for Federated Identity

Moonshot for Federated Identity. Jens Jensen, STFC Daniel Kouřil , CESNET EGI CF, April 2013. Background. Like RADIUS, but for “higher level” services RadSec Carrying SAML assertions Standards based (IETF) RADIUS, EAP,-TTLS, GSSAPI Federated: user, SP, IdP , AA

don
Download Presentation

Moonshot for Federated Identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013

  2. Background • Like RADIUS, but for “higher level” services • RadSec • Carrying SAML assertions • Standards based (IETF) • RADIUS, EAP,-TTLS, GSSAPI • Federated: user, SP, IdP, AA • Targeting glueware like ssh, MyProxy, • Technology project (code, not federations)

  3. Current Status • In theory, anything using GSS (and SASL (and SSPI)) • Some things need minor fixes • Get started with Ubuntu/Debian ISO • “Hello, World” for Moonshot • RPMs available, broadening OS support (Win, OSX) • Needs client and server libs • Project led by JANET • Development by Painless Security • www.painless-security.com • IETF ABFAB-WG • www.project-moonshot.org

  4. UK Pilot • Started 2 April 2013. Kick off meeting Mon 8th • 37 partners, 5 non-UK, most starting now • Documentation being written  • 18 months, three phases (1, 2, and 3)

  5. Pilot Common Areas 0. Grid resources (via certificates in medium term) • “HPC” (ssh) – everyone • OpenStack – Kent, Sussex • iRODS – STFC, UCL (maybe) • CIFS (maybe) – UCL • Federated desktops (ie acct mgmt) • Ticket systems/support (Cambridge) • Clouds and cloudbursting (Kingston) • Scalability and performance (JANET) • Trust routers (initially JANET will run one) • Grid COI (STFC+JANET)

  6. Moonshot Integration

  7. Examples of tested scenarios • OpenSSH client  OpenSSH server (GSS) • OpenLDAP client  OpenLDAP server (SASL) • OpenLDAP client (GSS)  Windows Active Directory (SSPI) • Firefox  Apache (GSS) • Internet Explorer  IIS (SSPI) • Adium  Jabberd (SASL) • Console authentication using PAM/GSS on Linux and SSPI on Windows

  8. Moonshot & MyProxy • Moonshot supported via SASL • No code changes or recompiling needed • Only matterofconfiguration (server/client) • Both CA and repository mode supported • Userscanobtainnewcredentialsorretrievestoredones • X.509 credentialscanbeobtainedusingfederated identity: myproxy-logon –l steve@realm–s server -n

  9. Moonshot & NFSv4 • Distributedfilesystem • Severalimplementationsavailable • Securityimplementedusing GSS-API • Significant changes to client and server done • “hidden” dependency on Kerberos • Pilot deployment oriented on grid users • Authentication using X.509 (IGTF) • Gridified file system

More Related