The PAPI model uses three different kind of components: the Authentication Server (AS), the Group Point of Access (GPoA) and the Point of Access (PoA).
The AS acts as Identity Provider (IdP), offering a single local authentication point to the users, which distributed identity assertions to the other components of the PAPI architecture. This identity assertions are signed by the AS, so they can be verified by the element consuming them.
Currently, there is only one PAPI AS general implementation written in Perl. Itcan be run on any Web server as a CGI or (in those that supports it) a Perl module.
A GPoA is a Service Provider (SP) able to aggregate trust on behalf of other SPs. It receives identity assertions from ASes or other GPoAs, validates them and propagate them to other GPoAs and/or PoAs that trust it (and conform its group).
There are GPoA implementations available in:
A PoA plays an SP role, controlling access to a resource protected by PAPI. It receives identity assertions from ASes or its parent GPoA, validates them and makes a decision on the rights to access the resources. PoAs, as well as GPoAs, provide Single Sign-On capabilities to simplify and enhance access procedures.
There are PoA implementations available in: