(Thanks to Ian Stuart, Edinburgh University Data Library)
N.B.
The phrase **** for Dummies has been trademarked, and defended by, Dummies.com, so I'm using the good old scottish work "numptie".
I was trying to explain what I was working on to a non-techie friend of mine, and trying to describe the concept of PAPI (Point of Access to Providers of Information) in terms that they could understand...
This is what I came up with....
My analogy
Imagine that you run the stadium for a football club. Entry is by ticket only. Tickets can only be bought for individual games, and can only be bought in the week before the game.
Now, you, as the stadium owner, you know that supporters from different teams need to be kept apart, and that clubs may have different "levels" of supporter (with different costs). People with higher levels of support with their club get better facilities (possibly including better seats) as part of the deal. Now, as the stadium owner, you don't want to have to deal with all the palaver of working out who is a member of what club, and who has what level of privilage. You want to devolve that responsibility to the supporters clubs, and possibly to specialist ticketing offices.
This means that the ticket selling agents can sell a general ticket, which can be valid for a number of stadiums (which is good for the clubs and the ticket sellers).
The tickets have a magnetic strip on the back, which contains the stadiums the ticket is valid for, who bought it, and when it expires.
Now, access is restricted to only people with up-to-date tickets, so you check them at the turnstyles: they must be valid for your stadium, have come from one of the resellers you recognise, and must be within the lifetime of the ticket. If the ticket is a valid ticket and they're allowed in, invalid and there's no entry.
This means that you are doing a "Point of Access" check.
Once the supporter gets entry to the stadium, you issue them with a local day-pass that allows them entry to facilities within your stadium. These privilages may vary based on the fan-club (you gotta keep the fans apart :), and on the price of the ticket (covered verses uncovered seating, for example).
Relating this to PAPI, the tickets are the PAPI-AS signed assertions.
The local day-pass is the PAPI-PoA cookie, issued by the PoA for local PoA services.
The PAPI-AS system locally authenticates the client, generating a signed assertion that gives it to the client. The PAPI-AS then lists all the PAPI-PoAs that the client may access.
The PAPI-PoA then (locally) checks that the signature from the signed assertion is from a recognised PAPI-AS.
The PAPI-AS' are on various servers (maybe yours, probably other people), and the PAPI-PoA (and thus your service) is on one of your own servers.
Back to our analogy....
Now, if we were a smaller club, we could sell tickets locally, so we'd have one wee man selling tickets, and another wee man checking tickets - either our own ones, or ones provided by the fan-clubs and resellers we've permitted....
(PAPI-AS server and PAPI-PoA server on the same box, different ports/vhosts)
If we were a grass-roots club, we'd not have any resellers, and the same wee man could both sells and checks the tickets (we'd still get him to use the tickets, 'cos we can do a head-count that way..)
(PAPI-AS & PAPI-PoA all in one server)