Moonshot is a standards-based, open source architecture for web and non-web sign-on access within and across organisational boundaries. Moonshot technology touches and uses several other software packages to avoid reinventing the wheel for the sake of it and to make implementation of Moonshot through existing services easier. It also defines a new GSSAPI mechanism, GSS-EAP, which enables RADIUS EAP authentication to be accessed from a GSSAPI-based service.

Moonshot is currently funded by Jisc (JANET) as a project and is released under the BSD licence, although some components, such as the Windows version of the Moonshot GSSAPI mechanism, are closed-source and must be licensed from either Jisc or Painless Security, the primary developers. Users in the educational and research (R&E) space may license the Windows mechanism free of charge.



 

Features supported by the tool

Moonshot comprises several parts: the client, the service, the RP proxy, the identity provider and the trust router.

The client, comprising the GSSAPI mechanism and the identity manager (on supported platforms), enables the use of Moonshot through existing GSSAPI support. The client must be installed on all parties in a Moonshot deployment: on the client device (a laptop, for example), the service, the RP proxy, the identity provider and the trust router (where applicable), so that all parties can understand the protocol. The API to access the client is the standard GSSAPI.

The service may be any service that supports multi-trip GSSAPI (many modern applications do, but some need help). The service generally does not need modification unless it is to add GSSAPI support where it previously did not exist. A prime example of this may be NFSv4, which may not support GSSAPI unless support has been built in during package creation.

The RP proxy is the gateway service between a GSSAPI-based service and the wider Moonshot network that uses the RadSec protocol for authentication purposes through the FreeRADIUS v3 package. The RP proxy also interacts with the trust router service to identify itself before querying the latter for realm information. Performance will depend almost entirely on the SQLite and FreeRADIUS software, which is designed to be very responsive in high-throughput environments.

The identity provider is a virtually standard FreeRADIUS v3 installation, with a change that allows it to interact with the trust router service and RP proxies that connect to it. As such, the identity provider will support all identity stores that FreeRADIUS will support (e.g. LDAP directories, relational databases, flat files), as well as SASL authentication based on username and password provided by the user. Performance here will depend on the speed and indexing of the identity stores as well as the hardware provided to the identity provider. As with the RP proxy, FreeRADIUS is designed to be responsive in a high-throughput environment. Any additional queries, such as to an attribute authority, will also have an impact on overall performance.

The trust router service provides the support for the trust between entities; it maintains the list of identity realms and their assigned hosts, the list of service realms and the constraints that bind them, as well as the communities of interest, which may be used in a similar fashion to virtual organisations (VOs). The trust router software has been designed to be available for use in a clustered/multi-instance environment. It is recommended that a proxy is placed in front of the service to handle request management better across multiple instances.

The main AARC requirements supported are:

  • Attribute aggregation / Account linking: Attribute aggregation is supported in the sense that both RADIUS attributes and a SAML assertion can be aggregated.

  • Community-based authorisation

  • Federation solutions based on open and standards-based technologies

  • Browser & non-browser based federated access

Supported standards

  • GSSAPI
  • SAML2
  • RadSec
  • EAP

User interfaces and APIs

  • On supported platforms with no built-in credential management (such as Linux), a credential manager is provided.

  • Any application with MIT Kerberos compliant GSSAPI implementation can use Moonshot.

Support for Virtual Organisations

  • Support for communities of interest on a RP Proxy level

  • Support for attribute authorities that can provide further VO support exists to a degree (but has not been tested in anger)

  • Account linking is encouraged on the RP Proxy/organisational level. Current use cases indicate that this is generally a preference, but that this may change in the future.


Dependencies on other technologies

 

  • OpenSAML libraries for internal SAML support

  • Shibboleth2 Service Provider on the service (optional)

  • FreeRADIUS v3, built with dynamic realm and trust router support (available from the Moonshot

    repositories)

  • SQLite v3 (as non-volatile storage of keys received by either RP Proxy or IdP)

Operational overview

  • The client is currently supported on RHEL 6- and Debian-based Linuxes, and Windows 7 and higher. Mac OS X is currently not supported, but support is currently in development. OpenSUSE support is also being explored.

  • The RP Proxy and Identity Providers are available for Linux only. Mac OS X support may be considered once the client functions on the platform. Windows will not be supported due to lack of support for the platform by FreeRADIUS. The RP Proxy and Identity Providers can be virtualised. Docker containers have not been tried.

  • The trust router is currently supported on Linux only and can also be virtualised. Docker containers have not been tried.

Expected level of support

Basic support is provided by the user community at large and by Jisc (to its connected customers). Documentation for the project is updated where and when necessary on the project wiki. The wiki is editable by members of the community as well.








  • No labels