The PAPI System Point of Access to Providers of Information

Slides:

Advertisements

Similar presentations

Inter WISP WLAN roaming

Advertisements

Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee

Enabling Secure Internet Access with ISA Server

Network Security.

Welcome to Middleware Joseph Amrithraj

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

MyProxy: A Multi-Purpose Grid Authentication Service

EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,

The EC PERMIS Project David Chadwick

Why choose Drupal?

Progress Report 11/1/01 Matt Bridges. Overview Data collection and analysis tool for web site traffic Lets website administrators know who is on their.

Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

APACHE SERVER By Innovationframes.com »

Windows Server 2008 Chapter 8 Last Update

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.

1 Web Servers (IIS and Apache) Outline 9.1 Introduction 9.2 HTTP Request Types 9.3 System Architecture 9.4 Client-Side Scripting versus Server-Side Scripting.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

Syllabus outcomes Describes and applies problem-solving processes when creating solutions Designs, produces and evaluates appropriate solutions.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

C Copyright © 2009, Oracle. All rights reserved. Appendix C: Service-Oriented Architectures.

CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.

Browser Web Server Users DB 2a. Redirect to login page plugin 1. access a protected page Login Web Server (https) aislogin.cern.ch edh.cern.ch 3a. Set.

11/16/2012ISC329 Isabelle Bichindaritz1 Web Database Application Development.

Chapter 1: The Internet and the WWW CIS 275—Web Application Development for Business I.

PAPI Points of Access to Providers of Information.

authenticated networked guided environment for learning - secure integration of learning environments with digital libraries - Current.

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.

Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.

Web Design (1) Terminology. Coding ‘languages’ (1) HTML - Hypertext Markup Language - describes the content of a web page CSS - Cascading Style Sheets.

Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.

Apache Web Server Quick and Dirty for AfNOG 2015 (Originally by Joel Jaeggli for AfNOG 2007) ‏

Web Database Programming Week 7 Session Management & Authentication.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.

Web Caching and Replication Presented by Bhushan Sonawane.

An Authentication and Authorization Infrastructure: the PAPI System.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Providing secure mobile access to information servers with temporary certificates Diego R. López

Java Web Server Presented by- Sapna Bansode-03 Nutan Mote-15 Poonam Mote-16.

PAPI-PERMIS Integration Project Proposal David Chadwick

(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)

PAPI 2 Distributed trust model and AA interoperability.

Endpoints Lesson 17. Skills Matrix Endpoints Endpoints provide a reliable, securable, scalable messaging system that enables SQL Server to communicate.

Certificate-based Authentication to JSTOR Spencer W. Thomas Dec 1, 2001.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

Website Design and Construction Services and Standards.

VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.

EFDA-Fed: European federation among fusion energy research laboratories EURATOM/CIEMAT JET CEA R. Castro, J. Vega, A. Portas, A. Pereira, S. Balme, A.

Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.

562: Power of Single Sign-On in OpenEdge

Contents Software components All users in one location:

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Network Quality Monitoring System NQMS

HMA Identity Management Status

CAS and Web Single Sign-on at UConn

Welcome to the 20th Anniversary of the IUG

UNIT.4 IP Security.

PHP / MySQL Introduction

IP Control Gateway (IPCG)

Protocol Application TCP/IP Layer Model

R. Castro, J. Vega, A. Portas, A. Pereira, S. Balme, A. Duarte,

Web Servers (IIS and Apache)

Calypso Service Architecture

Presentation transcript:

The PAPI System Point of Access to Providers of Information

PAPI - Outline zIntroduction zRequirements zApproximations to a solution zConfigurations zArchitecture of the PAPI system zImplementation zFuture lines

PAPI - The origin zMeeting between library consortia and content providers zOriginal problem to solve: access control by IP address zRedIRIS committed to provide a solution zOrganizations: ySpanish library consortia yCICA, CSIC, UAM, UOC, UPM, CBUC yContent providers ySILVERPLATTER yGREENDATA yEBSCO ySWETS yARANZADI

PAPI - Requirements zAccess control independent from IP origin zUpon successful local authentication, access must be granted during a configurable period of time to the services that the user is authorized to zUser mobility zTransparency to the user zCompatibility with other commonly employed access control systems zCompatibility with Netscape/MSIE/Lynx browsers zPrivacy at the user level, while easing the collection of statistics by providers

PAPI - Approximation: Temporary Certificates Web browser Authentication data Web Server S1 Web page Authentication Server Temporary Certificates Certificate S1 Certificate S2 Certificate S3 HTTP request + Certificate S1 Web Server S2 HTTP request + Certificate S2 Web page Advantages:  Temporary access to authorized services  Allows user mobility  Authentication is local to user’s organization  Technology implemented in main web servers Problems:  NOT TRANSPARENT  Password in browser DB  Choice of the right certificate  Inf. providers not adapted to this technology  Does not detect certificate duplication

PAPI - Approximation: Partial Solutions zNo transparency -> encrypted cookies Web browser Authentication data Web Server S1 Web page Authentication Server Temporary Encrypt-cookies Encry-cookie S1 Encry-cookie S2 Encry-cookie S3 HTTP request + Encry-cookie S1 Point of Access HTTP request Web page zWeb servers not adapted -> Points of Access Advantages:  Temporary access to authorized services  Allows user mobility  Authentication is local to user’s organizations  Access control is adapted to current web servers of content providers  Transparent to the user Problems:  Domain-name problems when loading cookies  Does not detect cookie copying

PAPI - Approximation: Partial Solutions zDomain-name problems when loading cookies -> Cookies served by PoAs Web browser Authentication data Authentication Server Encry-cookie S1 Encry-cookie S2 Encry-cookie S3 Point of Access Point of Access Temporary Signed-URLs Signed-URL Encry-cookie

PAPI - Approximation: Partial Solutions Web Browser 1 Encry-cookie S1 Point of Access zCookie copying -> Database of cookies Short expiration time Web Browser 2 Encry-cookie S1 HTTP request + Encry-cookie S1 Web Server S1 HTTP request Web page DB of Enc-cookie Web page + New Enc-cook S1 New Enc-cook S1 HTTP request + Encry-cookie S1 Collision

PAPI - Architecture of the PAPI system Web browser Authentication data Authentication Server Encry-cookies Temporary Signed-URLs Web page + New Hcook+Lcook HTTP request + Hcook+Lcook Point of Access Web Server S1 HTTP request Web page Hcook DB  URL: K_priv_AS (user code + server + path + Exp. Time + sign time)  Hcook: K1_PA (user code + server + path + Exp. Time + Random Block)  Lcook: K2_PA (user code + server + path + creation time)

PAPI - Configurations Web browser Web Server Authentication Server Point of Access Web Server Point of Access Authentication Server Point of Access Point of Access Authentication Server Authentication Server Point of Access Web Server Point of Access User's OrganizationInformation Provider

PAPI - Implementation zStatus: Version yAvailable at zCrypt functions: yOpenSSL zAuthentication modules yLocal auth, LDAP, POP3 zPoints of Access ymod_perl yApache virtual servers

PAPI - Future Lines zEnhancement of statistic collection at PoAs zMore general implementation yServlet(s) zManagement tools (both for AS and PoA) zInteraction with information access software zAlign to similar initiatives yAuthentication objects yAlternative protocols for exchanging them ySPARTA, Shibboleth

PAPI - Pilot of the system Information Providers AS: LDAP PoA: LISA DB (ERL) AS: POP PoA: Local DBs AS: POP PoA: Local DBs AS: Local PoA: MEDLINE (ERL)