Search Stanford:

Pages about WebAuth

• WebAuth Overview
• WebAuth Features
• WebAuth News
• Obtaining WebAuth
• WebAuth FAQ

WebAuth Reference

• WebAuth Module
• WebAuth LDAP Module
• WebAuth Protocol
• WebKDC Module
• webauth-info archives

• QUICK LINKS
  • answers.stanford.edu
  • apple.stanford.edu
  • computing.stanford.edu
  • courses.stanford.edu
  • datarates.stanford.edu
  • dell.stanford.edu
  • departmentphone.stanford.edu
  • email.stanford.edu
  • ess.stanford.edu
  • helpsu.stanford.edu
  • myitserviceshelp.stanford.edu
  • orderithelp.stanford.edu
  • software.stanford.edu
  • studentphone.stanford.edu
  • techtraining.stanford.edu
  • tools.stanford.edu
  • unixcomputing.stanford.edu
  • vpn.stanford.edu
  • web.stanford.edu
  • windows.stanford.edu
• SERVICES
  • IT Services Only
  • All Campus Providers
    → computing.stanford.edu
• GETTING HELP
  • Stanford Answers
  • HelpSU: IT Help Desk
  • Training
• PROJECTS
• ABOUT US
  • What We Do
  • Organization Chart
  • Jobs
  • Contact info
• INTERNAL
• SEARCH

  • Search IT Services:
     

• IT Services
• WebAuth

Stanford WebAuth

Introduction

WebAuth is an authentication system for web pages and web applications. The first time a user attempts to access a web page protected by WebAuth, they will be sent to a central login server (weblogin.stanford.edu at Stanford) and prompted to authenticate. Normally, they will be asked for a username and password, although other authentication methods are possible. Once the user has logged in, the weblogin server will send their encrypted identity back to the original web page they were trying to access. Their identity will also be stored in a cookie set by the weblogin server and they will not need to authenticate again until their credentials expire, even if they visit multiple protected web sites.

WebAuth works with any browser that supports cookies, requires no agents or other software installed on the client web browser systems, and works with an existing Kerberos v5 authentication realm. It can also be used as the SSO provider for a Shibboleth IdP and supports SPNEGO authentication as well as username/password over TLS/SSL. See the page on WebAuth features for more major features and a brief comparison with other web authentication systems.

If you are a Stanford WebAuth user and are having trouble logging in to WebAuth or just want more information about what's going on, please see the Stanford WebAuth help page. If you are looking for instructions on protecting web pages hosted on the www.stanford.edu servers, see the Stanford WebAuth guides. To install WebAuth on your own web server, read on.

News

2010-08-12

WebAuth 3.7.2 has been released. This fixes a serious bug in option parsing in wa_keyring that made the utility unusable. It also fixes some portability problems and improves WebLogin handling of expired or disabled accounts.

See the release announcement for more information.

2010-07-23

WebAuth 3.7.1 has been released. This changes some default behavior with WebLogin password changes and the single sign-on cookie lifetime and should fix some build problems on Red Hat systems.

See the release announcement for more information.

2010-07-08

WebAuth 3.7.0 has been released. This is a major release with improvements to mod_webauthldap, support for password expiration and changing in WebLogin, and substantial changes to the WebAuth build system and underlying libraries. If you use the WebAuthLdapAuthRule directive for mod_webauthldap, please note that its behavior has changed.

See the release announcement for more information.

2010-03-14

Oxford University Computing Services has released a new version of the Java implementation of the WebAuth protocol. This implementation is a Java Servlet 2.3 implementation that works with Tomcat 4.1 and 5.5. The new version adds support for loading configuration from a class and optional refreshing of the Kerberos configuration. It also improves the documentation.

This is a contributed implementation and not fully supported by the WebAuth team, but is provided on the WebAuth download page for those who would like to try it.

For older news, see the separate WebAuth news page.

Obtaining and Installing

WebAuth is provided under a free software license to anyone in the world who wants to use it. We provide support for the WebAuth software to Stanford affiliates, and also maintain the WebAuth infrastructure (the central login server and credential server) for the stanford.edu domain.

Here are instructions for obtaining and installing WebAuth. Please note that since the primary purpose of the WebAuth project is to provide web authentication for Stanford University, there are Stanford-specific instructions scattered through the documentation. All such instructions are clearly marked as such.

WebAuth Documentation

Installing WebAuth:

• Obtaining and installing WebAuth
• Installation guide
• Frequently asked questions
• Minimal Apache configuration
• User authentication and authorization
• Upgrading from WebAuth v2

Reference manuals:

• WebAuth module reference manual
• WebAuth LDAP module reference manual
• wa_keyring manual

The WebAuth protocol, which includes a more detailed explanation of how authentication works and how information is passed between a web server and the central WebKDC and weblogin servers:

• WebAuth protocol specification

WebKDC information (only of interest to people who are setting up a complete WebAuth infrastructure at another site):

• WebKDC module reference manual

Support

New WebAuth releases are announced via the low-volume webauth-announce mailing list. To subscribe, unsubscribe, or read the archives, go to the webauth-announce list information page.

There is also a separate mailing list for general discussion and requests for help, which is also read by members of the WebAuth project team. To subscribe, unsubscribe, or read the archives, go to the webauth-info list information page.

Stanford users may instead read and post to the newsgroup su.computers.webauth, which is bidirectionally gatewayed to webauth-info. The newsgroup also gets all messages sent to webauth-announce.

Finally, if you are a Stanford affiliate and need help with WebAuth, you can submit a HelpSU request using the link at the bottom of this page. Due to limited resources, we cannot offer support to any non-Stanford users, so non-Stanford users should instead subscribe to the mailing list and ask questions there.

Credits

The WebAuth v3 protocol and core implementation was written by Roland Schemers, based on design documents by the entire Stanford WebAuth team (with considerable work by Tim Torgenrud and Booker Bense) and based in part on the functionality of WebAuth v2.5, written and maintained by a cast of dozens over the years but most notably Jeff Lewis, Anton Ushakov, and Jeanmarie Lucker.

The mod_webauthldap module was written by Anton Ushakov.

The configuration and build system and WebAuth packaging was put together by Russ Allbery. Huaqing Zheng provided builds of supporting packages and Jonathan Pilat helped greatly with testing. Xueshan Feng oversaw the project.

WebAuth is currently maintained primarily by Russ Allbery. RPMs are built by Darren Patterson based on earlier work by Joe Little. Many of the Solaris packages were built by Quanah Gibson-Mount.

Thanks to pod for improvements, particularly to the WebKDC, to make it easier to package for a Linux distribution, for the initial Debian package build rules, and for generic WebKDC templates suitable for a new installation and for use as examples.

Thanks to Dmitri Priimak for work on cross-realm support, WebLogin improvements, and testing of unusual Kerberos realms and principal names.

To contact any of the members of the WebAuth team, please use the contact information above rather than writing to us individually. This will help us help you more efficiently. Thank you!