+CADI Framework
+^^^^^^^^^^^^^^
+
+CADI is a framework for providing Enterprise Class Authentication and Authorization with minimal configuration to Containers and Standalone Services
+It is in fact a library used by services to:
+
+* Authenticate with one or more Authentication Protocols
+* Authorize in a FINE-GRAINED manner using AAF Components
+
+AAF Components – RESTful Services
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Service (primary) – All the Authorization information, it is accessible by provided Caching Clients and by specialized plugins:
+
+* Locate – how to find ANY OR ALL AAF instances across any geographic distribution
+* OAuth 2.0 – new component providing Tokens and Introspection
+* GUI – Tool to view and manage Authorization Information, and create Credentials
+* Certman – Certificate Manger, create and renew X509 with Fine-Grained Identity
+* FS – File Server to provide access to distributable elements (like well known certs)
+* Hello - Test your client access (certs, OAuth 2.0, etc.)
+
+Cassandra as global replicating Data Store
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+
+How AAF works
+---------------------
+To understand how AAF works, let's describe its workflow through a high level "three tiered web app" use case:
+
+|image2|
+
+.. |image2| image:: sections/architecture/images/aaf-use-case.png
+ :height: 400px
+ :width: 800px
+
+
+1. Browser client goes to GUI using for instance SSO plugin (or Basic Auth)
+2. App goes directly to a Service using x509 or Basic Auth (or other)
+3. CADI Filter coverts credential to “Principal”. If not in cache, AAF is contacted for Permissions protecting GUI with Service ID/Credential (MechID of App/Pass or X.509 Client Cert (preferred)).
+4. AAF does provide User/Password features, or can be delegated to other credential service via Plugin
+5. If information is not in Service Cache, AAF’s DB is contacted using AAF Service ID/Credential.
+6. Client App uses Permission Attributes delivered by AAF/AAF Cache for protecting sensitive data/functions (using J2EE method).
+7. If not in Cache, Client contacts App Service, using App ID/Credential.
+8. CADI Filter converts App ID/Credential to Principal. If not in cache, contacts with AAF (with App ID/Credential) for Permissions of Client.
+9. App protects data based on Client Permissions.
+10. Component contacts next layer using Service ID/Credential.
+11. If ID or Permissions of AppServer are not in Cache, contact AAF using AAF Security Plugin for Cassandra, which uses AAF Java Client.
+12. Cassandra protects Cluster/Keyspace/ColumnFamily w/Permissions.