Transcript Slides

Non Web-based Identity
Federations - Moonshot
Daniel Kouril, Michal Prochazka, Marcel
Poul
ISGC 2015
Identity Federations
•
•
•
•
Sharing, exchange of identity information
Identity providers + services + “bus”
Advantages for users, service providers
Web/HTTP-based mostly
– Non-web use-cases
Moonshot
• Moonshot builds on the eduroam technologies
– EAP (RFC 3748): strong mutual authentication
– RADIUS (RFC 2865): federation between domains
• To this, Moonshot adds
– SAML, for rich authorization semantics
– Trust Router to locate IdP
• Strong focus on standardisation
– IETF RFCs
Architecture
(1) Credentialing
(3) Authentication
(5) Attributes
(6) SSH session
(2) SSH negotiation
SSH client
4
(4) RADIUS
SSH server
RADIUS server
Integration with Applications
• Integration using operating system security APIs
• SSPI: Windows
• GSS-API: Other operating systems
• SASL: Windows and other operating systems
• Successful integrations
• OpenSSH client, putty -> OpenSSH server
• Firefox, IE -> Apache
• Outlook 2010 -> Exchange 2010
…….
Moonshot & NFSv4
• Distributed file system
– Several implementations available
– Security implemented using GSS-API
• Significant changes to client and server done
– “hidden” dependency on Kerberos
• Code available on github
Moonshot & Samba
• Open-source implementation of CIFS
protocols for Linux
• Access to Samba volumes possible via
Moonshot authentication
• Integration also not straightforward
– Hidden Kerberos dependencies
– Conflicting symbols
– Changing code base
• Tested only with Samba
Delegation and SSO in Moonshot
• Moonshot Identity Manager
• Limited support for SSO, no support for
credential delegation
PKI-based Delegation Tokens
• Short-lived X.509 certificates issued by IdP
– Replacement of long-term credentials
– Easy integration with EAP
• Additional user attribute sent by IdP
– On-line CA
• Utilization governed completely by IdP
– Limitation of usage
– Revocation not needed
– No additional trust relationship introduced
• Private keys not encrypted
CA
IdP
User
Service
User
Service
Q&A