PAPI-PERMIS Integration Project Proposal David Chadwick - - PowerPoint PPT Presentation

papi permis integration project proposal
SMART_READER_LITE
LIVE PREVIEW

PAPI-PERMIS Integration Project Proposal David Chadwick - - PowerPoint PPT Presentation

May 13, 2023 284 likes •379 views

PAPI-PERMIS Integration Project Proposal David Chadwick d.w.chadwick@salford.ac.uk Background PAPI is a Web based protocol for carrying authentication and authorisation credentials between different sites. It is being used and/or piloted

slide-1
SLIDE 1

PAPI-PERMIS Integration Project Proposal

David Chadwick d.w.chadwick@salford.ac.uk

slide-2
SLIDE 2

Background

  • PAPI is a Web based protocol for carrying authentication

and authorisation credentials between different sites. It is being used and/or piloted at several sites including the library services of the Spanish National Research Council (CSIC), the University of Seville, the University of Edinburgh, the University of London Library and the JT-II Nuclear Fusion Facility. PAPI is written in PERL

  • PERMIS is a policy based authorisation infrastructure that

uses X.509 attribute certificates as the privileges given to

  • users. Built under the EC PERMIS project it has been

validated in pilots in the US and Europe. PERMIS is now distributed as part of the US NSA Middleware Initiative (NMI) release 3. PERMIS is written in Java.

slide-3
SLIDE 3

Existing PAPI Infrastructure

User

Authentication

Authentication Server

Keys Hcook- Lcook GPoA

GPoA PoA

Hcook- Lcook PoA 302+ Hcook 302 + data

slide-4
SLIDE 4

Existing PERMIS Infrastructure

Initiator Target Submit Access Request Present Access Request Decision Request Decision AEF Authentication Service LDAP Directories Retrieve Policy and Role ACs (pull) PKI ADF The PERMIS PMI API

PERMIS API Implementation

Retrieve Role ACs (push)

slide-5
SLIDE 5

Integration of PAPI and PERMIS

  • PAPI will carry authorisation URLs from the user’s home

site to PERMIS at the target site

  • PAPI and PERMIS will be given a SAML interface

conformant to the spec currently being defined by GGF

  • PERMIS will retrieve X.509 ACs from the user’s home site
  • PERMIS will be used to protect privacy at the user’s home

site according to an Attribute Release Policy, so that only the necessary ACs are released to the target site

  • A multi-lingual user friendly interface will be built for

administrators to set the access control policies for their sites

slide-6
SLIDE 6

PAPI-PERMIS Integration

User

Authentication

Authentication Server

Hcook- Lcook GPoA

GPoA PoA

Hcook- Lcook PoA 302+ Hcook 302 + shortlived URL cookie

Home LDAP Directory Access Control Policy

PKI ADF SAML Interface

PERMIS API Implementation URL from cookie + access request

Granted/ denied

Target’s LDAP Directory

Keys plus URL of home LDAP

PERMIS Gateway

Retrieve User’s ACs Attribute Release Policy

slide-7
SLIDE 7

Partners

  • RedIRIS will

– add the SAML interface to PAPI, – modify the authentication server to add the local LDAP URI to it, – modify GPoA to add short lived URIs to the cookies

  • University of Malaga will

– build a multilingual user friendly interface for setting access control policies at target sites – build attribute release policy modules to plug into the Privilege Allocator

  • University of Salford will

– add the SAML interface to PERMIS and to its Privilege Allocator, and – modify PERMIS to accept a URI from where to fetch ACs – integrate University of Malaga’s modules into PERMIS

slide-8
SLIDE 8

Costs

  • Total Cost of €148,544 provided by
  • Red IRIS €43,500
  • University of Salford €24,644
  • University of Malaga €24,000
  • TERENA and NRENs €56,400
  • This means we are looking for 4 or 5 NRENs to

pay approx €10,000 each plus a contribution from TERENA