1 / 15

PAPI: Simple and Ubiquitous Access to Internet Information Services

PAPI: Simple and Ubiquitous Access to Internet Information Services. JISC/CNI Conference - Edinburgh, 27 June 2002. Outline. Requirements on AA (Authentication and Authorization) technologies The PAPI components The PAPI protocol Application scenarios Current status and ongoing work.

sopoline-mendoza
Download Presentation

PAPI: Simple and Ubiquitous Access to Internet Information Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002

  2. Outline • Requirements on AA (Authentication and Authorization) technologies • The PAPI components • The PAPI protocol • Application scenarios • Current status and ongoing work

  3. Requirements on AA technologies • Preserve user privacy • Do not interfere with provider rights and accounting procedures • Do not impose management burdens either to providers or consumers • Fully permit user mobility • Transparency to the user • Compatibility with other access controlsystems • Web based, although extensible to other access technologies

  4. What is PAPI • PAPI enables distributed access control to information resources accross the Internet • Authentication is locally performed at the organization the user belongs to • Authorization is fully controlled by the provider • Based on standard HTTP procedures and public key cryptography • Does not require specific hardware or software

  5. The components of PAPI • The Authentication Server (AS) • Provides users with a (local) single authentication point • The Point of Access (PoA) • Performs actual access control by means of temporary cryptographic tokens, encoded as HTTP cookies • The Group-wide Point of Access (GPoA) • Combines a group of PoAs with similar access policies • Intended to simplify AS-PoA interactions

  6. The Authentication Server • Verifies user identity and rights • Each of these verifications is independently performed • Directories play a key role in rights management • Builds a set of digitally signed assertions about the user • According to privacy preservation rules • Sends the assertions to the appropriate (G)PoAs • By means of references to objects embedded in HTML

  7. The Point of Access • Evaluates assertions received from the AS • Verifying the signature and matching against any defined filter • If the assertion is acceptable, produces a initial couple of access tokens • If the request comes with access tokens, evaluates them • Access is granted only to requests carrying valid tokens • Two classes of tokens (long- and short-lived) to avoid unauthorized access by cookie copying

  8. The Group-wide Point of Access • A PoA that receives a request without access tokens can redirect it to a GPoA • The GPoA analyzes these requests • If valid, the PoA receives a signed assertion from its GPoA • The PoA process it as coming from any other AS • The hierarchy may be indefinitely extended • Trust management is simplified • An AS needs only to know about the GPoA • PoAs may be added under a GPoA without configuring them for valid ASes

  9. Authentication Data Signed Assertions Signed Assertion Access Tokens Point of Access Point of Access Signed Assertion Access Tokens The PAPI base protocol AuthenticationServer Browser Access Tokens PoA1 Access Tokens PoA2

  10. 302 + Data GPoA PoA 302+ Tokens The GPoA protocol PAPI AS Assertions Auth data Browser GPoA Access Tokens PoA Access Tokens

  11. Institution A Institution B Directory Directory Authentication Server Authentication Server Application scenariosDatacenter Datacenter GPoA PoA Web Server PoA Web Server

  12. Provider B Provider A Web Server Web Server Application scenariosAccess to local and remote services Institution Directory Authentication Server GPoA PoA PoA PoA Web Server

  13. Application scenariosCentralized service Institution A GPoA A Directory Provider A PoA PoA Authentication Server Web Server Web Server PoA Provider B Institution B GPoA B Directory Web Server PoA

  14. Current status • Version 1.1 in production • Available in open source from http://www.rediris.es/app/papi/ • Runs on Apache servers • Authentication modules based on POP3, LDAP and index files • Version 1.2 nearly to be released • Includes ISAPI (Microsoft IIS) support • Enhanced proxy functionality • Simpler configuration • Growing installed base • Gaining experience on requirements and applicability

  15. Ongoing work • Alignment with other AA initiatives • Use of standard languages (SAML) for assertions and normalization of attributes • In the framework of the TF-AACE group • In collaboration with Internet2 (Shibboleth) • Dynamic assertion evaluation • Based on attribute queries made by (G)PoAs and answered by the AS • Running on top of WebServices (SOAP) • Performance enhancements • Going beyond the Web • Use of the AA model for other applications: videoconferencing, Grid services,...

More Related