Presentation is loading. Please wait.

Presentation is loading. Please wait.

The PAPI System Point of Access to Providers of Information

Published byHollie Anthony Modified over 9 years ago

Similar presentations

Presentation on theme: "The PAPI System Point of Access to Providers of Information"— Presentation transcript:

1 The PAPI System Point of Access to Providers of Information http://www.rediris.es/app/papi/

2 PAPI - 2rodrigo.castro@rediris.es/ diego.lopez@rediris.es Outline zIntroduction zRequirements zApproximations to a solution zConfigurations zArchitecture of the PAPI system zImplementation zFuture lines

3 PAPI - 3rodrigo.castro@rediris.es/ diego.lopez@rediris.es The origin zMeeting between library consortia and content providers zOriginal problem to solve: access control by IP address zRedIRIS committed to provide a solution zOrganizations: ySpanish library consortia yCICA, CSIC, UAM, UOC, UPM, CBUC yContent providers ySILVERPLATTER yGREENDATA yEBSCO ySWETS yARANZADI

4 PAPI - 4rodrigo.castro@rediris.es/ diego.lopez@rediris.es Requirements zAccess control independent from IP origin zUpon successful local authentication, access must be granted during a configurable period of time to the services that the user is authorized to zUser mobility zTransparency to the user zCompatibility with other commonly employed access control systems zCompatibility with Netscape/MSIE/Lynx browsers zPrivacy at the user level, while easing the collection of statistics by providers

5 PAPI - 5rodrigo.castro@rediris.es/ diego.lopez@rediris.es Approximation: Temporary Certificates Web browser Authentication data Web Server S1 Web page Authentication Server Temporary Certificates Certificate S1 Certificate S2 Certificate S3 HTTP request + Certificate S1 Web Server S2 HTTP request + Certificate S2 Web page Advantages:  Temporary access to authorized services  Allows user mobility  Authentication is local to user’s organization  Technology implemented in main web servers Problems:  NOT TRANSPARENT  Password in browser DB  Choice of the right certificate  Inf. providers not adapted to this technology  Does not detect certificate duplication

6 PAPI - 6rodrigo.castro@rediris.es/ diego.lopez@rediris.es Approximation: Partial Solutions zNo transparency -> encrypted cookies Web browser Authentication data Web Server S1 Web page Authentication Server Temporary Encrypt-cookies Encry-cookie S1 Encry-cookie S2 Encry-cookie S3 HTTP request + Encry-cookie S1 Point of Access HTTP request Web page zWeb servers not adapted -> Points of Access Advantages:  Temporary access to authorized services  Allows user mobility  Authentication is local to user’s organizations  Access control is adapted to current web servers of content providers  Transparent to the user Problems:  Domain-name problems when loading cookies  Does not detect cookie copying

7 PAPI - 7rodrigo.castro@rediris.es/ diego.lopez@rediris.es Approximation: Partial Solutions zDomain-name problems when loading cookies -> Cookies served by PoAs Web browser Authentication data Authentication Server Encry-cookie S1 Encry-cookie S2 Encry-cookie S3 Point of Access Point of Access Temporary Signed-URLs Signed-URL Encry-cookie

8 PAPI - 8rodrigo.castro@rediris.es/ diego.lopez@rediris.es Approximation: Partial Solutions Web Browser 1 Encry-cookie S1 Point of Access zCookie copying -> Database of cookies Short expiration time Web Browser 2 Encry-cookie S1 HTTP request + Encry-cookie S1 Web Server S1 HTTP request Web page DB of Enc-cookie Web page + New Enc-cook S1 New Enc-cook S1 HTTP request + Encry-cookie S1 Collision

9 PAPI - 9rodrigo.castro@rediris.es/ diego.lopez@rediris.es Architecture of the PAPI system Web browser Authentication data Authentication Server Encry-cookies Temporary Signed-URLs Web page + New Hcook+Lcook HTTP request + Hcook+Lcook Point of Access Web Server S1 HTTP request Web page Hcook DB  URL: K_priv_AS (user code + server + path + Exp. Time + sign time)  Hcook: K1_PA (user code + server + path + Exp. Time + Random Block)  Lcook: K2_PA (user code + server + path + creation time)

10 PAPI - 10rodrigo.castro@rediris.es/ diego.lopez@rediris.es Configurations Web browser Web Server Authentication Server Point of Access Web Server Point of Access Authentication Server Point of Access Point of Access Authentication Server Authentication Server Point of Access Web Server Point of Access User's OrganizationInformation Provider

11 PAPI - 11rodrigo.castro@rediris.es/ diego.lopez@rediris.es Implementation zStatus: Version 1.0.0 yAvailable at http://www.rediris.es/app/papi/dist.en.html zCrypt functions: yOpenSSL zAuthentication modules yLocal auth, LDAP, POP3 zPoints of Access ymod_perl yApache virtual servers

12 PAPI - 12rodrigo.castro@rediris.es/ diego.lopez@rediris.es Future Lines zEnhancement of statistic collection at PoAs zMore general implementation yServlet(s) zManagement tools (both for AS and PoA) zInteraction with information access software zAlign to similar initiatives yAuthentication objects yAlternative protocols for exchanging them ySPARTA, Shibboleth

13 PAPI - 13rodrigo.castro@rediris.es/ diego.lopez@rediris.es Pilot of the system Information Providers AS: LDAP PoA: LISA DB (ERL) AS: POP PoA: Local DBs AS: POP PoA: Local DBs AS: Local PoA: MEDLINE (ERL)

Download ppt "The PAPI System Point of Access to Providers of Information"

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee

Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Network Security.

Network Security.
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,

EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Why choose Drupal?

Why choose Drupal?
Progress Report 11/1/01 Matt Bridges. Overview Data collection and analysis tool for web site traffic Lets website administrators know who is on their.

Progress Report 11/1/01 Matt Bridges. Overview Data collection and analysis tool for web site traffic Lets website administrators know who is on their.
Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  

Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Windows Server 2008 Chapter 8 Last Update 2012.05.31 1.0.0.

Windows Server 2008 Chapter 8 Last Update
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.

X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.
1 Web Servers (IIS and Apache) Outline 9.1 Introduction 9.2 HTTP Request Types 9.3 System Architecture 9.4 Client-Side Scripting versus Server-Side Scripting.

1 Web Servers (IIS and Apache) Outline 9.1 Introduction 9.2 HTTP Request Types 9.3 System Architecture 9.4 Client-Side Scripting versus Server-Side Scripting.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

10 May 2007 HTTP - - User data via HTTP(S) Andrew McNab University of Manchester.

Similar presentations

Ads by Google