Presentation is loading. Please wait.

Presentation is loading. Please wait.

PAPI Points of Access to Providers of Information.

Published byKatherine Shaw Modified over 9 years ago

Similar presentations

Presentation on theme: "PAPI Points of Access to Providers of Information."— Presentation transcript:

1 PAPI Points of Access to Providers of Information

2 Index Main requirements Interactions Components Configurations

3 Main requirements 1.Access control independent from IP origin. 2.After a successful authentication, access is given during a limited period of time to all services that he/she is authorized to. 3.User mobility 4.Transparent to the user 5.Compatible with other common access control systems 6.Compatible with Netscape/MSIE browsers 7.Privacy is guaranteed at the user level 8.Easy to integrate into different authentication systems 9.Scalable and easy management

4 Interactions in PAPI

5 Basic interaction diagram Client credentials -> encrypted cookies Point of Access -> access control element Web browser Authentication data Web Server S1 Web page Authentication Server Temporal Encrypt-cookies Encry-cookie S1 Encry-cookie S2 Encry-cookie S3 HTTP request + Encry-cookie S1 Point of Access HTTP request Web page

6 Approximation: Partial Solutions Each Point of Access generate its credential based on signed URL Web browser Authentication data Authentication Server Encry-cookie S1 Encry-cookie S2 Encry-cookie S3 Point of Access Point of Access Temporal Signed-URLs Signed-URL Encry-cookie

7 Approximation: Partial Solutions Web Browser 1 Encry-cookie S1 Point of Access zCopy of cokies -> Data base of cookies Sort time review Web Browser 2 Encry-cookie S1 HTTP request + Encry-cookie S1 Web Server S1 HTTP request Web page DB of Enc-cookie Web page + New Enc-cook S1 New Enc-cook S1 HTTP request + Encry-cookie S1 Colision

8 Architecture of PAPI system Web browser Authentication data Authentication Server Encry-cookies Temporal Signed-URLs Web page + Hcook+Lcook HTTP request + Hcook+Lcook Point of Access Web Server S1 HTTP request Web page DB of Hcook  URL: K_priv SA (user code + server + path + Exp. Time + sign time)  Hcook: E(user assertion + server + path + Exp. Time + Random Block)  Lcook: E(server + path + creation time)

9 Components of PAPI

10 Authentication server Authentication module Web browser Authentication data List of certified URLs Authentication Server interface Authentication data OK / Error Site database module Authentication data List of authorized sites Base of users, departments, etc

11 Authentication server features Flexible: Adaptable to any authentication mechanism  LDAP, SQL, Berkeley DB, Client certificates, … Configurable user assertions  User_Id, Groups, roles, projets, security level, … Easy to integrate at portal level Configurable answers and actions  Lists of authorized sites  Personalized views  Redirections

12 Access Point Interface Web + (New Hcook + new Lcook) HTTP Req+ HCook +LCook Check cook1 module Hcook New Hcook + new Lcook Data Base of Hcook HTTP Req Web page HTTP resolve module Rewrite URL module Web page zInverse proxy configuration

13 Access point features Powerful access rules Authorization engines connection  SPOCP Implementation as access control module or front end server Powerful and very tested web front end implementation TOMCAT aware Apache aware PHP aware AJAX compatible

14 GPoA (Group Point of Access) Cliente HTTP Authentication PAPI AS Keys GPoA PoA GPoA assertion PoA PoA aggregator: Independency between AS and services PoA

15 Federation PoA GPoAAS GPoAPoA GPoA

16 Federation features - Scalable user management - Easy integration of new organizations - New services do not need to be known by the rest of the orgs. - Possibility of integration of different technologies and solutions - Distributed risk -> more secure - Users mobility - Data and applications sharing

17 Configurations of PAPI

18 Internal access to external services HTTP Client Web server Authentication server Temporal tokens Web server Web server Authentication Data LDAP Client HTTP

19 Internal access to internal resources HTTP Client Web server AS Temporal Tokens Web server Web server Authentication data LDAP

20 Internal access to internal resources II HTTP Client Web server Servidor de Autenticaci ó n Temporal tokens Web server Web server Authentication data LDAP Cliente HTTP

21 External access to internal resources (federation) HTTP Client Web serever Authentication server Temporal tokens Web server Web server Authentication data LDAP

22 External access to internal resources (federation) HTTP Client Web server Servidor de Autenticaci ó n Temporal tokens Web server Web server Authentication data LDAP

23 CEA - CIEMAT - IST Federation HTTP Client Web server Authentication server Temporal tokens Web server Authentication Data LDAP HTTP Client Web server Authentication server Temporal tokens Web server Authentication Data SQL GPoAWAYF

24 So, What is PAPI? Single Sign On Distributed Federation enabling AuthN, AuthZ, Accounting system:  Shibboleth compatible  Athens compatible  eduGAIN compatible  JAAS comaptible  JAVA-JNLP aware  XML-RPC aware

25 High Availability Real PAPI installation in Spanish UNED university

Download ppt "PAPI Points of Access to Providers of Information."

Similar presentations

Distributed Access Control System

Distributed Access Control System
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.

Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.
SWIM WEB PORTAL by Dipti Aswath SWIM Meeting ORNL Oct 15-17, 2007.

SWIM WEB PORTAL by Dipti Aswath SWIM Meeting ORNL Oct 15-17, 2007.
EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,

EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Design of Web-based Systems IS Development: lecture 10.

Design of Web-based Systems IS Development: lecture 10.
GGF Toronto 19.02.02 Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
DATABASE APPLICATION DEVELOPMENT SAK 3408 The Web and DBMS.

DATABASE APPLICATION DEVELOPMENT SAK 3408 The Web and DBMS.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  

Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  
SQL Forms Engine Koifman Eran Egri Ozi Supervisor: Ilana David.

SQL Forms Engine Koifman Eran Egri Ozi Supervisor: Ilana David.
IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,

IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,
E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.

E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.
Catania Science Gateway Framework Motivations, architecture, features Catania, 09/06/2014Riccardo Rotondo

Catania Science Gateway Framework Motivations, architecture, features Catania, 09/06/2014Riccardo Rotondo

Similar presentations

Ads by Google