Presentation is loading. Please wait.

Presentation is loading. Please wait.

European AFS & Kerberos Conference 2010

Published byLorin Paul Modified over 5 years ago

Similar presentations

Presentation on theme: "European AFS & Kerberos Conference 2010"— Presentation transcript:

1 European AFS & Kerberos Conference 2010
Pilsen, Czech Republic 13 September 2010 Josh Howlett, Middleware Architect, JANET(UK)

2 Background JANET(UK) delivers advanced networking services to the UK Research & Education community. Rapid deployment of trust and identity services. Campus, national and international levels.

3 Background Large bag of security frameworks, often bound to specific application domains: Kerberos: intra-Enterprise applications SAML: inter-Enterprise Web SSO EAP: network authentication (802.1x, PANA, …) X.509: TLS credential, Web Services, … Etc.

4 Background Multiple non-interoperable security/application silos  complexity, cost & confusion. Moonshot is a general framework for establishing trust between system entities conveying identity between system entities In the Moonshot architecture, the first is a special case of the second.

5 Goals To deliver Ambitious, but achievable
A standardised architecture. A production-quality open-source implementation. Packaged and shipped with Debian Linux. A test-bed for interoperability testing. High quality documentation. An active community of users and developers. Third-party implementations by vendors and other communities. Available for all computing platforms. Ambitious, but achievable “[Project Moonshot] aims high but the potential benefits justify the effort” It’s the F-Word, IETF Journal (June 2010)

6 Goals “It might be apropos to note that the name "Moonshot" in the Moonshot proposal comes from a statement I made on a list that if you're going to change the client … and your solution is predicated on getting browser and/or OS vendors to actually move the ball, there's little point in taking halfway steps. Design a better solution and build it, i.e. shoot for the moon.” Scott Cantor (IETF Kitten mailing list).

7 Use-case 1: Out-sourcing
Institutions increasingly want to: Reduce costs by out-sourcing commodity services to third party service providers. Use campus-managed identities to provide SSO and enable conformance to data protection legislation. Web-based SAML federation enables this for Web-based services... ...but not other types of services (IMAP, POP3, SMTP, CalDAV, etc) Identity Provisioning APIs exist, but they’re typically not appropriate.

8 Use-case 2: High Performance Computing
HPC facilities are increasingly critical to Institutions. Requirements: Improve Business Continuity by federating access to HPC facilities. Offer HPC-as-a-service to external customers. Reduce costs incurred in operating HPC-specific authentication service. Provide a better user experience.

9 Use-case 3: Learning from Web SSO
In federating authentication for new applications, avoid problems already discovered with Web SAML federation (and fix them). As a federation grows in size Users are presented with an ever-growing list of identity providers (“IdP discovery problem”). As a federation grows in scope Users may acquire more than one identity provider (“multiple affiliations problem”).

10 Proposed benefits Users
Users can authenticate using one or more identities to desktop applications. Users can easily select an identity.

11 Proposed benefits Campuses
Increases the ROI made in federated identity services, by expanding its use to a greater range of applications. Reduces the effort required to support different authentication technologies and credentials for different services.

12 Proposed benefits Service Providers
Introduces the benefits of federated identity to new types of services. Addresses some of the issues associated with the conventional Web SSO. The technology, when used with a web browser, could co-exist with conventional Web SSO profiles.

13 Moonshot architecture
By analogy with eduroam Client Service Provider Identity Provider FreeRADIUS EAP server OpenSEA supplicant EAP peer (Supplicant) GSS library EAP authen ticator AAA client AAA server GSS library GSS-API EAP lower layer (e.g ) GSS-API EAP lower layer (e.g ) SAML IdP Shibboleth IdP Applications Application (e.g. SFTP) Applications Application (e.g. SFTP)

14 Moonshot & Kerberos Moonshot and Kerberos are complementary.
Can we leverage Kerberos? Reduce impact on applications Delegation FAST pre-authentication framework Moonshot pre-authentication mechanism?

15 Strategy Work with other interested parties to reach agreement on the problems. Vendors & International R&E community. Develop technical standards to address these. IETF & OASIS. Develop a proof-of-concept implementation. Facilitate roll-out of technology for broader use.

16 What have we achieved so far?
Phases 1-3 (January 2010  April 2010) Feasibility Analysis & draft specifications. Bar IETF 77. Phase 4 (April 2010  June 2010) Developed draft project plan. Developed IETF Working Group charter. Phase 5 (June 2010  August 2010) IETF 78 “FedAuth” BoF: consensus to establish a working group. Project plan completed See

17 Current activities Phase 6A (August 2010  January 2011)
Advance specifications through IETF and OASIS. Develop the core technology Proof of concept demonstrator. Phase 6B (February 2011  July 2011) Develop remaining technologies. Implement test-bed.

18 Get involved! Your opinions and ideas.
Use-cases, use-cases, use-cases. Join the IETF AbFab mailing list. Join our project mailing list. Participate in the test-bed.

19 Thank you for your attention.
Any questions?

Download ppt "European AFS & Kerberos Conference 2010"

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
Project Moonshot February 2012. Background Project Moonshot 2.

Project Moonshot February Background Project Moonshot 2.
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
Project Moonshot update TF-EMC2 & TF-MNM 14 & 16 February 2011.

Project Moonshot update TF-EMC2 & TF-MNM 14 & 16 February 2011.
© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.

© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.
Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF 80 31 March, Prague.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Enterprise Integration Architecture IPMA Professional Development Seminar June 29, 2006 Scott Came Director, Enterprise Architecture Program Washington.

Enterprise Integration Architecture IPMA Professional Development Seminar June 29, 2006 Scott Came Director, Enterprise Architecture Program Washington.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Secure Element Access from a Web browser W3C Workshop on Authentication, Hardware Tokens and Beyond 11 September 2014 1 Oberthur Technologies – Identity.

Secure Element Access from a Web browser W3C Workshop on Authentication, Hardware Tokens and Beyond 11 September Oberthur Technologies – Identity.
Project Moonshot TF-MNM. Use cases Project Moonshot 2.

Project Moonshot TF-MNM. Use cases Project Moonshot 2.
To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Helsinki Institute of Physics (HIP) - 2003 Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Similar presentations

Ads by Google