![Page 1: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/1.jpg)
PAPI
Points of Access to Providers of Information
![Page 2: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/2.jpg)
Index
Main requirements
Interactions
Components
Configurations
![Page 3: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/3.jpg)
Main requirements
1. Access control independent from IP origin.
2. After a successful authentication, access is given during a limited period of time to all services that he/she is authorized to.
3. User mobility
4. Transparent to the user
5. Compatible with other common access control systems
6. Compatible with Netscape/MSIE browsers
7. Privacy is guaranteed at the user level
8. Easy to integrate into different authentication systems
9. Scalable and easy management
![Page 4: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/4.jpg)
Interactions in PAPI
![Page 5: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/5.jpg)
Basic interaction diagram
Client credentials -> encrypted cookies
Point of Access -> access control element
Webbrowser
Authenticationdata Web
Server S1
Web page
AuthenticationServer
TemporalEncrypt-cookies
Encry-cookie S1 Encry-cookie S2 Encry-cookie S3
HTTP request
+ Encry-cookie S1
Point ofAccess
HTTP request
Web page
![Page 6: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/6.jpg)
Approximation: Partial Solutions
Each Point of Access generate its credential based on signed URL
Webbrowser
Authenticationdata
AuthenticationServer
Encry-cookie S1 Encry-cookie S2 Encry-cookie S3
Point ofAccess
Point ofAccess
TemporalSigned-URLs Signed-URL
Signed-URL
Encry-cookie
Encry-cookie
![Page 7: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/7.jpg)
Approximation: Partial Solutions
WebBrowser 1
Encry-cookie S1
Point ofAccess
Copy of cokies -> Data base of cookiesSort time review
WebBrowser 2
Encry-cookie S1
HTTP request
+ Encry-cookie S1
WebServer S1
HTTP request
Web page
DB of Enc-cookie
Web page
+ New Enc-cook S1
New Enc-cook S1
HTTP request
+ Encry-cookie S1 Colision
![Page 8: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/8.jpg)
Architecture of PAPI system
Webbrowser
Authenticationdata
AuthenticationServer
Encry-cookies
TemporalSigned-URLs
Web page+
Hcook+Lcook
HTTP request
+ Hcook+Lcook
Point ofAccess Web
Server S1
HTTP request
Web page
DB of Hcook
URL: K_priv SA (user code + server + path + Exp. Time + sign time)
Hcook: E(user assertion + server + path + Exp. Time + Random Block)
Lcook: E(server + path + creation time)
![Page 9: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/9.jpg)
Components of PAPI
![Page 10: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/10.jpg)
Authentication server
Authenticationmodule
Webbrowser
Authenticationdata
List of certifiedURLs
AuthenticationServer
interfaceAuthenticationdata
OK / Error
Site database
module
Authenticationdata List of
authorized sites
Base of users, departments,
etc
![Page 11: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/11.jpg)
Authentication server features
Flexible: Adaptable to any authentication mechanism
LDAP, SQL, Berkeley DB, Client certificates, …
Configurable user assertions
User_Id, Groups, roles, projets, security level, …
Easy to integrate at portal level
Configurable answers and actions
Lists of authorized sites Personalized views Redirections
![Page 12: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/12.jpg)
Access Point
Access Point Interface
Web + (New Hcook + new Lcook)
HTTP Req+ HCook +LCook
Check cook1
module
HcookNew Hcook + new
Lcook
Data Base of Hcook
HTTP Req HTTP Req
Web page
HTTP resolve
module
Rewrite URL
module
Web pageWeb page
Web page
Inverse proxy configuration
![Page 13: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/13.jpg)
Access point features
Powerful access rules
Authorization engines connection
SPOCP
Implementation as access control module or front end server
Powerful and very tested web front end implementation
TOMCAT aware
Apache aware
PHP aware
AJAX compatible
![Page 14: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/14.jpg)
GPoA (Group Point of Access)
ClienteHTTP
Authentication
PAPI
AS
Keys GPoA
PoAGPoA assertion
PoA
PoA
PoA aggregator: Independency between AS and services
PoA
![Page 15: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/15.jpg)
Federation
PoA
PoA
PoA
GPoAASAS
GPoA
PoA
PoA
PoA
GPoA
![Page 16: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/16.jpg)
Federation features
- Scalable user management
- Easy integration of new organizations
- New services do not need to be known by the rest of the orgs.
- Possibility of integration of different technologies and solutions
- Distributed risk -> more secure
- Users mobility
- Data and applications sharing
![Page 17: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/17.jpg)
Configurations of PAPI
![Page 18: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/18.jpg)
Internal access to external services
HTTPClient
Webserver
Authenticationserver
Temporaltokens
Webserver
Webserver
AuthenticationData
LDAP
Client HTTP
![Page 19: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/19.jpg)
Internal access to internal resources
HTTPClient Web
server
AS
TemporalTokens
Webserver
Webserver
Authenticationdata
LDAP
![Page 20: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/20.jpg)
Internal access to internal resources II
HTTPClient
Webserver
Servidor deAutenticación
Temporaltokens
Webserver
Webserver
Authenticationdata
LDAP
Cliente HTTP
![Page 21: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/21.jpg)
External access to internal resources (federation)
HTTPClient
Webserever
Authenticationserver
Temporaltokens
Webserver
Webserver
Authenticationdata
LDAP
![Page 22: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/22.jpg)
External access to internal resources (federation)
HTTPClient
Webserver
Servidor deAutenticación
Temporaltokens
Webserver
Webserver
Authenticationdata
LDAP
![Page 23: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/23.jpg)
CEA - CIEMAT - IST Federation
HTTPClient
Webserver
Authenticationserver
Temporaltokens
Webserver
AuthenticationData
LDAP
HTTPClient
Webserver
Authenticationserver
Temporaltokens
Webserver
AuthenticationData
SQLGPoA
WAYF
![Page 24: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/24.jpg)
So, What is PAPI?
Single Sign On
Distributed
Federation enabling
AuthN, AuthZ, Accounting system:
Shibboleth compatible Athens compatible eduGAIN compatible JAAS comaptible JAVA-JNLP aware XML-RPC aware
![Page 25: PAPI Points of Access to Providers of Information](https://reader036.vdocuments.net/reader036/viewer/2022062518/56649ea45503460f94ba916f/html5/thumbnails/25.jpg)
High Availability
Real PAPI installation in Spanish UNED university