Download presentation
Presentation is loading. Please wait.
Published byEdmund Welch Modified over 8 years ago
1
PAPI-PERMIS Integration Project Proposal David Chadwick d.w.chadwick@salford.ac.uk
2
Background PAPI is a Web based protocol for carrying authentication and authorisation credentials between different sites. It is being used and/or piloted at several sites including the library services of the Spanish National Research Council (CSIC), the University of Seville, the University of Edinburgh, the University of London Library and the JT-II Nuclear Fusion Facility. PAPI is written in PERL PERMIS is a policy based authorisation infrastructure that uses X.509 attribute certificates as the privileges given to users. Built under the EC PERMIS project it has been validated in pilots in the US and Europe. PERMIS is now distributed as part of the US NSA Middleware Initiative (NMI) release 3. PERMIS is written in Java.
3
Existing PAPI Infrastructure User Authentication Server Keys Hcook- Lcook GPoA GPoAPoA Hcook- Lcook PoA 302+ Hcook 302 + data
4
Existing PERMIS Infrastructure Initiator Target Submit Access Request Present Access Request Decision Request Decision AEF Authentication Service LDAP Directories Retrieve Policy and Role ACs (pull) PKI ADF The PERMIS PMI API PERMIS API Implementation Retrieve Role ACs (push)
5
Integration of PAPI and PERMIS PAPI will carry authorisation URLs from the user’s home site to PERMIS at the target site PAPI and PERMIS will be given a SAML interface conformant to the spec currently being defined by GGF PERMIS will retrieve X.509 ACs from the user’s home site PERMIS will be used to protect privacy at the user’s home site according to an Attribute Release Policy, so that only the necessary ACs are released to the target site A multi-lingual user friendly interface will be built for administrators to set the access control policies for their sites
6
PAPI-PERMIS Integration User Authentication Server Hcook- Lcook GPoA GPoAPoA Hcook- Lcook PoA 302+ Hcook 302 + shortlived URL cookie Home LDAP Directory Access Control Policy PKI ADF SAML Interface PERMIS API Implementation URL from cookie + access request Granted/ denied Target’s LDAP Directory Keys plus URL of home LDAP PERMIS Gateway Retrieve User’s ACs Attribute Release Policy
7
Partners RedIRIS will –add the SAML interface to PAPI, –modify the authentication server to add the local LDAP URI to it, –modify GPoA to add short lived URIs to the cookies University of Malaga will –build a multilingual user friendly interface for setting access control policies at target sites –build attribute release policy modules to plug into the Privilege Allocator University of Salford will –add the SAML interface to PERMIS and to its Privilege Allocator, and –modify PERMIS to accept a URI from where to fetch ACs –integrate University of Malaga’s modules into PERMIS
8
Costs Total Cost of €148,544 provided by Red IRIS €43,500 University of Salford €24,644 University of Malaga €24,000 TERENA and NRENs €56,400 This means we are looking for 4 or 5 NRENs to pay approx €10,000 each plus a contribution from TERENA
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.