WebISO: Web Application Agent (WAA) Questionaire

The PAPI System
RedIRIS, Spanish National Research Network
http://www.rediris.es/app/papi/index.en.html
November 28, 2002

1. Model & Capabilities of the Web Authentication Agent (WAA)
   1.1 Which high-level integration model(s) does your WAA support?
   [*] Server module
       [ ] Apache 1.3
       [ ] Apache 2.0
       [ ] Java Servlet
       [ ] Microsoft ISAPI
       [*] Other: Apache mod_perl handler
   [*] Developer's API
       [ ] C/C++
       [ ] Java/JSP
       [*] Perl
       [ ] Python
       [ ] Other

   1.2 If applicable, describe the method(s) your
         WebISO solution provides for the WAA to 
         handle N-tier (proxied, delegated)
         authentication (cf
http://middleware.internet2.edu/webiso/docs/draft-lajoie-trust_and_delegation-02.html):

      Version 1.2 -> Trust
      Version 2 -> Trust and Proxy

2. Authentication Request
   2.1 Describe the API your WAA provides to Web
       applications to initiate authentication.
       What functions can it invoke? What parameters
       can it pass?

       The API is the standard CGI interface. Any parameter exchanged
       through GET or POST method may be used and referenced through variable
       substitution inside the HTML templates defining the user
       interface aspect and behavior.
       The application defines the exact formats and semantics of the
       parameters. There is only a pre-defined parameter, PAPIrefURL,
       that can be used to provide the Authentication Server with the
       original URL the user was redirected from.

   2.2 Describe any other options your WAA provides
       to Web applications to influence the authentication
       process.  For example, can it request the
       technology or policy used to handle authentication?

       User interface and actual behavior is controlled through HTML
       templates and a configuration file in form of a Perl script.

       
3. Authentication Delivery
   3.1 Describe the information delivered by your
       WAA to Web applications:

         3.1.1 What user information is provided to the
          application? What is the format?  How does it
          relate to the identifier presented to the
          verification backend?

          Fully configurable. A text string built from user
          attributes, (possibly) application description, and values
          in the configuration files, HTML templates, and HTTP
          interactions.

       3.1.2 Does the WAA deliver additional user attributes
          (e.g., lookup key value associated with login
           identifier, studentid, group membership)? What is
           the format of this?

           Point 3.1.1

       3.1.3 Can additional information be delivered on request?

             Yes

   3.2 Describe the means by which your WAA provides
       authentication information to your application.
       Please be as specific as possible.

       It is provided using using a specific Apache note called: PAPIHcook

4 Authentication Session
  4.1 Briefly describe how authentication session
      information is maintained (if not already covered
      in section 2 above):

      It is maintained using encrypted cookies:
      - "Lcook" with a configurable short TTL: ej 3 minutes
      - "Hcook" with a configurable (at authentication step) long TTL
      that defines the session duration: ej
      2 days

      The first cookie Lcook triggers the refresh procedure for Hcook.
      Everytime Lcook expires, Hcook parameters are rechecked and new cookies
      are generated. This is intended as an anti-duplication system, to avoid
      unauthorized access by means of cookie copying.
      

  4.2 Is it possible to for an application to set the
      session duration?  If not already covered above,
      please describe:

      Yes, at the authentication step the sesion duration can be
      configured depending on: the user and/or the resource(s) to access

  4.3 Is it possible to terminate authentication session
      globally? How is that information conveyed to the
      application?

      Yes, cookies with a content that prevents valid access and an 
      expiry time in the past (1970) are sent to the web
      browser when session is finished.

5. Messaging (Weblogin Service (WLS) <-> WAA)
   5.1 Describe the message format used between your
       WAA and weblogin service to request and
       receive authentication information:

   5.2 Describe the protocol used by the WAA to handle
       the above (e.g. SAML POST Profile):

6. Wish List
   6.1 What changes or additions to the services provided
       by the WAA would you like to see in your system?

   6.2 At a high level, what other changes would you like to
       see in your system?

Diego R. Lopez
Rodrigo Castro
RedIRIS
The Spanish NREN