PAPI is a system for providing access control to restricted information resources across the Internet. It intends to keep authentication as an issue local to the organization the user belongs to, while leaving the information providers full control over the resources they offer.

The authentication mechanisms are designed to be as flexible as possible, allowing each organization to use its own authentication schema, keeping user privacy, and offering information providers data enough for statistics. Moreover, access control mechanisms are transparent to the user and compatible with the most commonly employed Web browsers, and any operating system.

The system consists of two independent elements: the authentication server (AS) and the point of access (PoA). This structure makes the final system much more flexible and able to be integrated to different environments. There is no need of a one-to-one mapping between ASes and PoAs: a given PoA may manage to deal with requests from any number of ASes and direct them to any number of web servers.

The purpose of the AS is to provide users with a single authentication point and make available to them (in a completely transparent manner) all the temporary keys that will let them access the services they are authorized to.

The PoA manages actual access control to a set of web locations for a given organization. The target resource provider has the control over the access policy applied at the PoA. A PAPI PoA can be adapted to any web server, whatever its implementation is. Moreover, a given web server can have more than one PoA, and a PoA can control more than one web server. Other important property of this system is that is completely compatible with any other access control system in use, since it does not impose any constraints on additional procedures used for these purposes. In other words, PAPI access control is completely orthogonal to procedures such as password protection, IP filters, TLS-based access control, etc.

Typical usages of PAPI include:

  • Single sign-on for corporate applications: one-step authentication for any Internet-available resource (internal or external).
  • Single sign-on for remote services: provide users with ubiquitous access (anytime, anywhere) to those resources they are entitled for.
  • Inter-realm access: provide a powerful and manageable framework for collaborative systems by means of federated authentication and authorization.

A more detailed discussion on the PAPI objectives, components, protocols, and software can be found in the set of PAPI documentation.

PAPI is distributed as free software. There are implementations of the PAPI components in Java, Perl and PHP.

This site offers a set of support resources to the PAPI user community, as well as access to the development resources for those willing to collaborate with the PAPI development team.

Other projects

PAPI is in contact with other similar projects related to authentication and authorization (AA) technologies. The PAPI development team is actively working in ensuring the interoperability of the PAPI elements with these other components, in order to make possible global-scale distributed AA infrastructures. More information about these projects can be found at their respective sites:

Derived projects

We have known about (at least) another project derived from the PAPI open source distribution:

If you are using the PAPI codebase in your project, we will be happy to include a link to it in this page. Just drop us a message.