The Moonshot Identity Manager for macOS User Guide

Owned by Stefan Paetow
Last updated: Mar 06, 2020 by Alex Perez Mendez
5 min read

To use Moonshot, the user's device needs to have a way of storing and selecting credentials to use to authenticate to a service. To achieve this on the macOS platform, you use the Moonshot Identity Manager for macOS.

Contents

Manual configuration of the Moonshot Identity Manager is only recommended for power users.

1. What is the Moonshot Identity Manager?

The Moonshot Identity Manager for macOS is a central point from which you can manage your credentials to be used by Moonshot on the macOS platform.

2. Managing credentials using the Moonshot Identity Manager

The main way of interacting with the Moonshot Identity Manager is through a macOS app called Moonshot. It can also have identity information deployed to it - see this page for enterprise deployment options.

2.1. Loading the Identity Manager

Normally, the Identity Manager is invoked automatically when you try to log in to a Moonshot-enabled service. If you need to modify and remove an existing identity (or manually add an identity), then you will manually load it. To do this, you can:

  • Locate the Moonshot Identity Manager in the macOS LaunchPad on the Dock.

    or

  • Open a Finder window, browse to the Applications folder and click the Moonshot app.


The Moonshot Identity Manager should appear.

2.2. Keychain Access

The Moonshot Identity Manager uses the Keychain to store your Moonshot identities. The first time the Moonshot Identity Manager tries to access your keychain, you will be prompted to give Moonshot access to it. Enter your password and select 'Always Allow' to not be prompted again.

2.3. Working with Identities

Once the Moonshot Identity Manager has loaded, you can now add, modify, or remove identities.

2.3.1. Adding an Identity

Manually adding identities is strongly discouraged, instead the enterprise deployment options available provide a much more secure way of adding identity information as this can include extra information known as a "trust anchor" (information that stops one server pretending to be another).

2.3.1.1. Importing a credential

  1. Click the Import button.
  2. In the dialog that appears, browse to your credential you want to import.
  3. Select it, click 'Select'.
  4. You should get a message that confirms a successful import.

2.3.1.2. Manually adding an identity in the Moonshot Identity Manager.

  1. Click Identity, then 'Add new'.
  2. Fill in the details of the identity you wish to add:
    1. Display Name: this is a friendly name for the identity that will be displayed in the identities list.
    2. Issuer - this should be the realm associated with your organisation (e.g. camford.ac.uk).
    3. User name: this should be your username (e.g. bob.jones).
    4. Password: the password associated with that username.
  3. Click Add Identity to save the identity.

2.3.2. Modifying an Identity

  1. Load the Moonshot Identity Manager.
  2. Choose the identity to modify, then click Show Details to display the details of the identity. From here, you can:
    1. Modify the issuer, username or password:

    2. View or clear the trust anchor installed or associated with this identity (if any)
    3. Or remove services or service selection rules associated with this identity:

2.3.3. Removing an Identity

  1. Load the Moonshot Identity Manager.
  2. Select the identity to delete.
  3. Click the "-" button below the list of identities to delete the identity. You will be prompted to confirm the deletion.

2.4. Service to Identity Mapping

Each identity can be used with one or more Moonshot services. The Moonshot Identity Manager allows these mappings to be created, modified, or removed.

2.4.1. Viewing existing mappings

If you wish to view existing mappings for each identity, then do the following:

  1. Load the Moonshot Identity Manager as detailed above.
  2. Double-click the identity whose mappings you wish to view.
  3. A list of services associated with that identity will appear in the Services section below the trust anchor details. 

2.4.2. Adding a mapping

The first time you attempt to use a Moonshot enabled service, the Identity Manager will pop up.

Simply choose an existing identity, or create a new one as described above, then hit the "Connect" button.

At the top of the of the identity selection list you will see the GSS name of the service that is wanting you to authenticate. Check this is what you were expecting.

2.4.3. Removing a mapping

If you wish to make the Moonshot Identity Manager forget about an existing mapping (if you wish to use a different identity for a particular service, or if you stop using that service entirely), then do the following:

  1. Load the Moonshot Identity Manager as detailed above.
  2. Double-click the identity whose mappings you wish to view.
  3. In the Services list that is presented, simply select the service, click the '-' button below the service list and confirm the deletion in the dialogue box that appears. 
  4. Click Save Changes to save the change.

3. Advanced Usage

3.1. Configure the Identity Manager to not use Moonshot for a particular service

If you regularly use a service which is not Moonshot enabled or that you use traditional, non-Moonshot, credentials to access, you can tell the Identity Manager to stop appearing every time you attempt to access the service by doing the following:

  1. Attempt to access the service as normal; the Moonshot Identity Manager should pop up.
  2. Choose the identity labelled "No Identity", and hit the "Send" button.
  3. For all subsequent authentication attempts, the Moonshot Identity Manager should not appear.