Search Stanford:

Pages about WebAuth

• WebAuth Overview
• WebAuth Features
• WebAuth News
• Obtaining WebAuth
• WebAuth FAQ

WebAuth Reference

• WebAuth Module
• WebAuth LDAP Module
• WebAuth Protocol
• WebKDC Module
• webauth-info archives

• QUICK LINKS
  • answers.stanford.edu
  • apple.stanford.edu
  • computing.stanford.edu
  • courses.stanford.edu
  • datarates.stanford.edu
  • dell.stanford.edu
  • departmentphone.stanford.edu
  • email.stanford.edu
  • ess.stanford.edu
  • helpsu.stanford.edu
  • myitserviceshelp.stanford.edu
  • orderithelp.stanford.edu
  • software.stanford.edu
  • studentphone.stanford.edu
  • techtraining.stanford.edu
  • tools.stanford.edu
  • unixcomputing.stanford.edu
  • vpn.stanford.edu
  • web.stanford.edu
  • windows.stanford.edu
• SERVICES
  • IT Services Only
  • All Campus Providers
    → computing.stanford.edu
• GETTING HELP
  • Stanford Answers
  • HelpSU: IT Help Desk
  • Training
• PROJECTS
• ABOUT US
  • What We Do
  • Organization Chart
  • Jobs
  • Contact info
• INTERNAL
• SEARCH

  • Search IT Services:
     

• IT Services
• WebAuth

Stanford WebAuth

Introduction

WebAuth is an authentication system for web pages and web applications. The first time a user attempts to access a web page protected by WebAuth, they will be sent to a central login server (weblogin.stanford.edu at Stanford) and prompted to authenticate. Normally, they will be asked for a username and password, although other authentication methods are possible. Once the user has logged in, the weblogin server will send their encrypted identity back to the original web page they were trying to access. Their identity will also be stored in a cookie set by the weblogin server and they will not need to authenticate again until their credentials expire, even if they visit multiple protected web sites.

WebAuth works with any browser that supports cookies, requires no agents or other software installed on the client web browser systems, and works with an existing Kerberos v5 authentication realm. It can also be used as the SSO provider for a Shibboleth IdP and supports SPNEGO authentication as well as username/password over TLS/SSL. See the page on WebAuth features for more major features and a brief comparison with other web authentication systems.

If you are a Stanford WebAuth user and are having trouble logging in to WebAuth or just want more information about what's going on, please see the Stanford WebAuth help page. If you are looking for instructions on protecting web pages hosted on the www.stanford.edu servers, see the Stanford WebAuth guides. To install WebAuth on your own web server, read on.

News

2012-05-02

Red Hat Enterprise Linux binary packages and source RPMs are now available for WebAuth 4.1.0 from the download page, thanks to Darren Patterson. Unlike the previous 4.0.2 packages, these packages no longer require the remctl RPMs also be installed.

2012-04-25

WebAuth 4.1.1 has been released. This is a bugfix release for the WebKDC and WebLogin components. There are no changes in the WebAuth module for application servers.

See the release announcement for more information.

2012-03-27

Red Hat Enterprise Linux binary packages and source RPMs are now available for WebAuth 3.7.4 and WebAuth 4.0.2 from the download page, thanks to Darren Patterson. The packages for 4.0.2 require the remctl-client RPMs be installed as well. This requirement will be relaxed in a later version.

Packages are now only provided for Red Hat Enterprise Linux 5 and 6. RHEL 4 packages are no longer built, but it should be possible to build WebAuth from source on RHEL 4.

2012-03-15

WebAuth 4.1.0 has been released. This is primarily a bug-fix and feature release for the new functionality in WebAuth 4.0 and mainly of interest for WebLogin and WebKDC administrators. The changes in the WebAuth module for application servers are minimal.

See the release announcement for more information.

2012-02-16

Západočeská univerzita has developed a Shibboleth IdP WebLogin handler that can support forced authentication, unlike the standard RemoteUser authentication handler. The handler is available directly from their web site.

For older news, see the separate WebAuth news page.

Obtaining and Installing

WebAuth is provided under a free software license to anyone in the world who wants to use it. We provide support for the WebAuth software to Stanford affiliates, and also maintain the WebAuth infrastructure (the central login server and credential server) for the stanford.edu domain.

Here are instructions for obtaining and installing WebAuth. Please note that since the primary purpose of the WebAuth project is to provide web authentication for Stanford University, there are Stanford-specific instructions scattered through the documentation. All such instructions are clearly marked as such.

WebAuth Documentation

Installing WebAuth:

• Obtaining and installing WebAuth
• Installation guide
• Frequently asked questions
• Minimal Apache configuration
• User authentication and authorization
• Upgrading from WebAuth v2

Reference manuals:

• WebAuth module reference manual
• WebAuth LDAP module reference manual
• wa_keyring manual

The WebAuth protocol, which includes a more detailed explanation of how authentication works and how information is passed between a web server and the central WebKDC and weblogin servers:

• WebAuth protocol specification

WebKDC information (only of interest to people who are setting up a complete WebAuth infrastructure at another site):

• WebKDC module reference manual

Support

New WebAuth releases are announced via the low-volume webauth-announce mailing list. To subscribe, unsubscribe, or read the archives, go to the webauth-announce list information page.

There is also a separate mailing list for general discussion and requests for help, which is also read by members of the WebAuth project team. To subscribe, unsubscribe, or read the archives, go to the webauth-info list information page.

Stanford users may instead read and post to the newsgroup su.computers.webauth, which is bidirectionally gatewayed to webauth-info. The newsgroup also gets all messages sent to webauth-announce.

Finally, if you are a Stanford affiliate and need help with WebAuth, you can submit a HelpSU request using the link at the bottom of this page. Due to limited resources, we cannot offer support to any non-Stanford users, so non-Stanford users should instead subscribe to the mailing list and ask questions there.

Credits

The WebAuth v3 protocol and core implementation was written by Roland Schemers, based on design documents by the entire Stanford WebAuth team (with considerable work by Tim Torgenrud and Booker Bense) and based in part on the functionality of WebAuth v2.5, written and maintained by a cast of dozens over the years but most notably Jeff Lewis, Anton Ushakov, and Jeanmarie Lucker.

The mod_webauthldap module was written by Anton Ushakov.

The configuration and build system and WebAuth packaging was put together by Russ Allbery. Huaqing Zheng provided builds of supporting packages and Jonathan Pilat helped greatly with testing. Xueshan Feng oversaw the project.

WebAuth is currently maintained primarily by Russ Allbery. RPMs are built by Darren Patterson based on earlier work by Joe Little. Many of the Solaris packages were built by Quanah Gibson-Mount.

Thanks to pod for improvements, particularly to the WebKDC, to make it easier to package for a Linux distribution, for the initial Debian package build rules, and for generic WebKDC templates suitable for a new installation and for use as examples.

Thanks to Dmitri Priimak for work on cross-realm support, WebLogin improvements, and testing of unusual Kerberos realms and principal names.

To contact any of the members of the WebAuth team, please use the contact information above rather than writing to us individually. This will help us help you more efficiently. Thank you!