The PAPI model uses three different kind of components: the Authentication Server (AS), the Group Point of Access (GPoA) and the Point of Access (PoA).

There are PAPI components implemented in Java, Perl, and PHP.

Authentication Server

The AS acts as Identity Provider (IdP), offering a single local authentication point to the users, which distributed identity assertions to the other components of the PAPI architecture. This identity assertions are signed by the AS, so they can be verified by the element consuming them.

Currently, there is only one PAPI AS general implementation written in Perl. Itcan be run on any Web server as a CGI or (in those that supports it) a Perl module.

• Perl-based PAPI AS

Group Point of Access

A GPoA is a Service Provider (SP) able to aggregate trust on behalf of other SPs. It receives identity assertions from ASes or other GPoAs, validates them and propagate them to other GPoAs and/or PoAs that trust it (and conform its group).

There are GPoA implementations available in:

• Java
• Perl

Point of Access

A PoA plays an SP role, controlling access to a resource protected by PAPI. It receives identity assertions from ASes or its parent GPoA, validates them and makes a decision on the rights to access the resources. PoAs, as well as GPoAs, provide Single Sign-On capabilities to simplify and enhance access procedures.

There are PoA implementations available in:

• Java
  • As application server filter
  • As JAAS module
• Perl
• PHP