Embed Size (px)
Citation preview
PAPI
Points of Access to Providers of Information
Index
Main requirements
Interactions
Components
Configurations
Main requirements
1. Access control independent from IP origin.
2. After a successful authentication, access is given during a limited period of time to all services that he/she is authorized to.
3. User mobility
4. Transparent to the user
5. Compatible with other common access control systems
6. Compatible with Netscape/MSIE browsers
7. Privacy is guaranteed at the user level
8. Easy to integrate into different authentication systems
9. Scalable and easy management
Interactions in PAPI
Basic interaction diagram
Client credentials -> encrypted cookies
Point of Access -> access control element
Webbrowser
Authenticationdata Web
Server S1
Web page
AuthenticationServer
TemporalEncrypt-cookies
Encry-cookie S1 Encry-cookie S2 Encry-cookie S3
HTTP request
+ Encry-cookie S1
Point ofAccess
HTTP request
Web page
Approximation: Partial Solutions
Each Point of Access generate its credential based on signed URL
Webbrowser
Authenticationdata
AuthenticationServer
Encry-cookie S1 Encry-cookie S2 Encry-cookie S3
Point ofAccess
Point ofAccess
TemporalSigned-URLs Signed-URL
Signed-URL
Encry-cookie
Encry-cookie
Approximation: Partial Solutions
WebBrowser 1
Encry-cookie S1
Point ofAccess
Copy of cokies -> Data base of cookiesSort time review
WebBrowser 2
Encry-cookie S1
HTTP request
+ Encry-cookie S1
WebServer S1
HTTP request
Web page
DB of Enc-cookie
Web page
+ New Enc-cook S1
New Enc-cook S1
HTTP request
+ Encry-cookie S1 Colision
Architecture of PAPI system
Webbrowser
Authenticationdata
AuthenticationServer
Encry-cookies
TemporalSigned-URLs
Web page+
Hcook+Lcook
HTTP request
+ Hcook+Lcook
Point ofAccess Web
Server S1
HTTP request
Web page
DB of Hcook
URL: K_priv SA (user code + server + path + Exp. Time + sign time)
Hcook: E(user assertion + server + path + Exp. Time + Random Block)
Lcook: E(server + path + creation time)
Components of PAPI
Authentication server
Authenticationmodule
Webbrowser
Authenticationdata
List of certifiedURLs
AuthenticationServer
interfaceAuthenticationdata
OK / Error
Site database
module
Authenticationdata List of
authorized sites
Base of users, departments,
etc
Authentication server features
Flexible: Adaptable to any authentication mechanism
LDAP, SQL, Berkeley DB, Client certificates, …
Configurable user assertions
User_Id, Groups, roles, projets, security level, …
Easy to integrate at portal level
Configurable answers and actions
Lists of authorized sites Personalized views Redirections
Access Point
Access Point Interface
Web + (New Hcook + new Lcook)
HTTP Req+ HCook +LCook
Check cook1
module
HcookNew Hcook + new
Lcook
Data Base of Hcook
HTTP Req HTTP Req
Web page
HTTP resolve
module
Rewrite URL
module
Web pageWeb page
Web page
Inverse proxy configuration
Access point features
Powerful access rules
Authorization engines connection
SPOCP
Implementation as access control module or front end server
Powerful and very tested web front end implementation
TOMCAT aware
Apache aware
PHP aware
AJAX compatible
GPoA (Group Point of Access)
ClienteHTTP
Authentication
PAPI
AS
Keys GPoA
PoAGPoA assertion
PoA
PoA
PoA aggregator: Independency between AS and services
PoA
Federation
PoA
PoA
PoA
GPoAASAS
GPoA
PoA
PoA
PoA
GPoA
Federation features
- Scalable user management
- Easy integration of new organizations
- New services do not need to be known by the rest of the orgs.
- Possibility of integration of different technologies and solutions
- Distributed risk -> more secure
- Users mobility
- Data and applications sharing
Configurations of PAPI
Internal access to external services
HTTPClient
Webserver
Authenticationserver
Temporaltokens
Webserver
Webserver
AuthenticationData
LDAP
Client HTTP
Internal access to internal resources
HTTPClient Web
server
AS
TemporalTokens
Webserver
Webserver
Authenticationdata
LDAP
Internal access to internal resources II
HTTPClient
Webserver
Servidor deAutenticación
Temporaltokens
Webserver
Webserver
Authenticationdata
LDAP
Cliente HTTP
External access to internal resources (federation)
HTTPClient
Webserever
Authenticationserver
Temporaltokens
Webserver
Webserver
Authenticationdata
LDAP
External access to internal resources (federation)
HTTPClient
Webserver
Servidor deAutenticación
Temporaltokens
Webserver
Webserver
Authenticationdata
LDAP
CEA - CIEMAT - IST Federation
HTTPClient
Webserver
Authenticationserver
Temporaltokens
Webserver
AuthenticationData
LDAP
HTTPClient
Webserver
Authenticationserver
Temporaltokens
Webserver
AuthenticationData
SQLGPoA
WAYF
So, What is PAPI?
Single Sign On
Distributed
Federation enabling
AuthN, AuthZ, Accounting system:
Shibboleth compatible Athens compatible eduGAIN compatible JAAS comaptible JAVA-JNLP aware XML-RPC aware
High Availability
Real PAPI installation in Spanish UNED university
