Moonshot is a standards-based, open source architecture for web and non-web sign-on access within and across organisational boundaries. Moonshot technology touches and uses several other software packages to avoid reinventing the wheel for the sake of it and to make implementation of Moonshot through existing services easier. It also defines a new GSSAPI mechanism, GSS-EAP, which enables RADIUS EAP authentication to be accessed from a GSSAPI-based service.
Moonshot is currently funded by Jisc (JANET) as a project and is released under the BSD licence, although some components, such as the Windows version of the Moonshot GSSAPI mechanism, are closed-source and must be licensed from either Jisc or Painless Security, the primary developers. Users in the educational and research (R&E) space may license the Windows mechanism free of charge.
Features supported by the tool
Moonshot comprises several parts: the client, the service, the RP proxy, the identity provider and the trust router.
The client, comprising the GSSAPI mechanism and the identity manager (on supported platforms), enables the use of Moonshot through existing GSSAPI support. The client must be installed on all parties in a Moonshot deployment: on the client device (a laptop, for example), the service, the RP proxy, the identity provider and the trust router (where applicable), so that all parties can understand the protocol. The API to access the client is the standard GSSAPI.
The service may be any service that supports multi-trip GSSAPI (many modern applications do, but some need help). The service generally does not need modification unless it is to add GSSAPI support where it previously did not exist. A prime example of this may be NFSv4, which may not support GSSAPI unless support has been built in during package creation.
The RP proxy is the gateway service between a GSSAPI-based service and the wider Moonshot network that uses the RadSec protocol for authentication purposes through the FreeRADIUS v3 package. The RP proxy also interacts with the trust router service to identify itself before querying the latter for realm information. Performance will depend almost entirely on the SQLite and FreeRADIUS software, which is designed to be very responsive in high-throughput environments.
The identity provider is a virtually standard FreeRADIUS v3 installation, with a change that allows it to interact with the trust router service and RP proxies that connect to it. As such, the identity provider will support all identity stores that FreeRADIUS will support (e.g. LDAP directories, relational databases, flat files), as well as SASL authentication based on username and password provided by the user. Performance here will depend on the speed and indexing of the identity stores as well as the hardware provided to the identity provider. As with the RP proxy, FreeRADIUS is designed to be responsive in a high-throughput environment. Any additional queries, such as to an attribute authority, will also have an impact on overall performance.