PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Slides:



Advertisements
Similar presentations
Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee
Advertisements

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
Enabling Secure Internet Access with ISA Server
Welcome to Middleware Joseph Amrithraj
Inter-Institutional Registration UNC Cause December 4, 2007.
Implementing and Administering AD FS
Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
The EC PERMIS Project David Chadwick
WebFTS as a first WLCG/HEP FIM pilot
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
Understanding Active Directory
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
3rd EuroCAMP Ljubljana Mind the Gap (And Try To Fill It with Any Tool at Hand) Bridging PAPI and Applications Diego R. Lopez.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
PAPI Points of Access to Providers of Information.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
Shibboleth: An Introduction
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
UMBC’s WebAuth Robert Banz – UMBC
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Creating and Managing Digital Certificates Chapter Eleven.
Diego R. Lopez, RedIRIS TF-EMC2, Umea SIR, FedSSH and more to come…
Web Services Security Patterns Alex Mackman CM Group Ltd
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
PAPI-PERMIS Integration Project Proposal David Chadwick
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
PAPI 2 Distributed trust model and AA interoperability.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
The FederID project The First Identity Management and Federation Free Software.
Access Policy - Federation March 23, 2016
What are they? The Package Repository Client is a set of Tcl scripts that are capable of locating, downloading, and installing packages for both Tcl and.
Federation made simple
HMA Identity Management Status
Identity Federations - Overview
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
O. Otenko PERMIS Project Salford University © 2002
Shibboleth 2.0 IdP Training: Introduction
Presentation transcript:

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002

2 Outline Requirements on AA (Authentication and Authorization) technologies The PAPI components The PAPI protocol Application scenarios Current status and ongoing work

3 Requirements on AA technologies Preserve user privacy Do not interfere with provider rights and accounting procedures Do not impose management burdens either to providers or consumers Fully permit user mobility Transparency to the user Compatibility with other access control systems Web based, although extensible to other access technologies

4 What is PAPI PAPI enables distributed access control to information resources accross the Internet  Authentication is locally performed at the organization the user belongs to  Authorization is fully controlled by the provider Based on standard HTTP procedures and public key cryptography  Does not require specific hardware or software

5 The components of PAPI The Authentication Server (AS)  Provides users with a (local) single authentication point The Point of Access (PoA)  Performs actual access control by means of temporary cryptographic tokens, encoded as HTTP cookies The Group-wide Point of Access (GPoA)  Combines a group of PoAs with similar access policies  Intended to simplify AS-PoA interactions

6 The Authentication Server Verifies user identity and rights  Each of these verifications is independently performed  Directories play a key role in rights management Builds a set of digitally signed assertions about the user  According to privacy preservation rules Sends the assertions to the appropriate (G)PoAs  By means of references to objects embedded in HTML

7 The Point of Access Evaluates assertions received from the AS  Verifying the signature and matching against any defined filter  If the assertion is acceptable, produces a initial couple of access tokens If the request comes with access tokens, evaluates them  Access is granted only to requests carrying valid tokens  Two classes of tokens (long- and short- lived) to avoid unauthorized access by cookie copying

8 The Group-wide Point of Access A PoA that receives a request without access tokens can redirect it to a GPoA The GPoA analyzes these requests  If valid, the PoA receives a signed assertion from its GPoA  The PoA process it as coming from any other AS  The hierarchy may be indefinitely extended Trust management is simplified  An AS needs only to know about the GPoA  PoAs may be added under a GPoA without configuring them for valid ASes

9 The PAPI base protocol Browser Authentication Data Authentication Server Access Tokens PoA1 Access Tokens PoA2 Point of Access Point of Access Signed Assertions Signed Assertion Access Tokens

10 The GPoA protocol Browser Auth data PAPI AS Assertions GPoA Access Tokens GPoAPoA PoA Access Tokens 302+ Tokens Data

11 Application scenarios Datacenter PoA Web Server PoA GPoA Datacenter Authentication Server Institution A Directory Authentication Server Institution B Directory Web Server

12 Application scenarios Access to local and remote services PoA Web Server PoA GPoA Authentication Server Institution Directory Provider B Web Server PoA Provider A Web Server

13 Application scenarios Centralized service PoA Web Server GPoA A Authentication Server Institution A Directory PoA Provider A Web Server Institution B Directory GPoA B PoA Provider B Web Server

14 Current status Version 1.1 in production  Available in open source from  Runs on Apache servers  Authentication modules based on POP3, LDAP and index files Version 1.2 nearly to be released  Includes ISAPI (Microsoft IIS) support  Enhanced proxy functionality  Simpler configuration Growing installed base  Gaining experience on requirements and applicability

15 Ongoing work Alignment with other AA initiatives  Use of standard languages (SAML) for assertions and normalization of attributes  In the framework of the TF-AACE group In collaboration with Internet2 (Shibboleth) Dynamic assertion evaluation  Based on attribute queries made by (G)PoAs and answered by the AS  Running on top of WebServices (SOAP) Performance enhancements Going beyond the Web  Use of the AA model for other applications: videoconferencing, Grid services,...

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.