We are working on authorisation API in European project PERMIS. We need
to know a bit more about your software and its architecture.
Currently the questions are:
1. How do you secure the communication to the Authentication Server
2. How do you secure the communication to the Point of Access.
3. How do you enforce that the links are requested through your PoA
only? What stops the user from accessing the desired web-site directly?
"The PAPI system: Point of Access to Providers of Information" does not
say anything on whether the communication is trusted or not.