Download presentation
Presentation is loading. Please wait.
Published byKatherine Shaw Modified over 9 years ago
1
PAPI Points of Access to Providers of Information
2
Index Main requirements Interactions Components Configurations
3
Main requirements 1.Access control independent from IP origin. 2.After a successful authentication, access is given during a limited period of time to all services that he/she is authorized to. 3.User mobility 4.Transparent to the user 5.Compatible with other common access control systems 6.Compatible with Netscape/MSIE browsers 7.Privacy is guaranteed at the user level 8.Easy to integrate into different authentication systems 9.Scalable and easy management
4
Interactions in PAPI
5
Basic interaction diagram Client credentials -> encrypted cookies Point of Access -> access control element Web browser Authentication data Web Server S1 Web page Authentication Server Temporal Encrypt-cookies Encry-cookie S1 Encry-cookie S2 Encry-cookie S3 HTTP request + Encry-cookie S1 Point of Access HTTP request Web page
6
Approximation: Partial Solutions Each Point of Access generate its credential based on signed URL Web browser Authentication data Authentication Server Encry-cookie S1 Encry-cookie S2 Encry-cookie S3 Point of Access Point of Access Temporal Signed-URLs Signed-URL Encry-cookie
7
Approximation: Partial Solutions Web Browser 1 Encry-cookie S1 Point of Access zCopy of cokies -> Data base of cookies Sort time review Web Browser 2 Encry-cookie S1 HTTP request + Encry-cookie S1 Web Server S1 HTTP request Web page DB of Enc-cookie Web page + New Enc-cook S1 New Enc-cook S1 HTTP request + Encry-cookie S1 Colision
8
Architecture of PAPI system Web browser Authentication data Authentication Server Encry-cookies Temporal Signed-URLs Web page + Hcook+Lcook HTTP request + Hcook+Lcook Point of Access Web Server S1 HTTP request Web page DB of Hcook URL: K_priv SA (user code + server + path + Exp. Time + sign time) Hcook: E(user assertion + server + path + Exp. Time + Random Block) Lcook: E(server + path + creation time)
9
Components of PAPI
10
Authentication server Authentication module Web browser Authentication data List of certified URLs Authentication Server interface Authentication data OK / Error Site database module Authentication data List of authorized sites Base of users, departments, etc
11
Authentication server features Flexible: Adaptable to any authentication mechanism LDAP, SQL, Berkeley DB, Client certificates, … Configurable user assertions User_Id, Groups, roles, projets, security level, … Easy to integrate at portal level Configurable answers and actions Lists of authorized sites Personalized views Redirections
12
Access Point Interface Web + (New Hcook + new Lcook) HTTP Req+ HCook +LCook Check cook1 module Hcook New Hcook + new Lcook Data Base of Hcook HTTP Req Web page HTTP resolve module Rewrite URL module Web page zInverse proxy configuration
13
Access point features Powerful access rules Authorization engines connection SPOCP Implementation as access control module or front end server Powerful and very tested web front end implementation TOMCAT aware Apache aware PHP aware AJAX compatible
14
GPoA (Group Point of Access) Cliente HTTP Authentication PAPI AS Keys GPoA PoA GPoA assertion PoA PoA aggregator: Independency between AS and services PoA
15
Federation PoA GPoAAS GPoAPoA GPoA
16
Federation features - Scalable user management - Easy integration of new organizations - New services do not need to be known by the rest of the orgs. - Possibility of integration of different technologies and solutions - Distributed risk -> more secure - Users mobility - Data and applications sharing
17
Configurations of PAPI
18
Internal access to external services HTTP Client Web server Authentication server Temporal tokens Web server Web server Authentication Data LDAP Client HTTP
19
Internal access to internal resources HTTP Client Web server AS Temporal Tokens Web server Web server Authentication data LDAP
20
Internal access to internal resources II HTTP Client Web server Servidor de Autenticaci ó n Temporal tokens Web server Web server Authentication data LDAP Cliente HTTP
21
External access to internal resources (federation) HTTP Client Web serever Authentication server Temporal tokens Web server Web server Authentication data LDAP
22
External access to internal resources (federation) HTTP Client Web server Servidor de Autenticaci ó n Temporal tokens Web server Web server Authentication data LDAP
23
CEA - CIEMAT - IST Federation HTTP Client Web server Authentication server Temporal tokens Web server Authentication Data LDAP HTTP Client Web server Authentication server Temporal tokens Web server Authentication Data SQL GPoAWAYF
24
So, What is PAPI? Single Sign On Distributed Federation enabling AuthN, AuthZ, Accounting system: Shibboleth compatible Athens compatible eduGAIN compatible JAAS comaptible JAVA-JNLP aware XML-RPC aware
25
High Availability Real PAPI installation in Spanish UNED university
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.