Webauth is a system providing single sign-on for web based services. Single sign-on means that users of Webauth-authenticated services enter a username and a password only once (per session) to a central login server. Any further access to other Webauth-based services is automatically and securely authenticated without further interaction by the user.
Webauth is currently based around Kerberos, a general network single sign-on system. Webauth encapsulates Kerberos tickets into cookies which, when unpacked by the server, provide proof of the identity of the user of the connecting browser. Webauth-protected services never need to see the password of the user, because they make use of a trusted third party to verify the identity of the user. Departments and colleges can set up their own protected services, using the central Webauth system.
- Provision of infrastructure for web-based SSO authentication of Oxford SSO account holders to registered ITSS within Oxford University.
- Registered ITSS wishing to use this service may contact email@example.com to request the Kerberos principals required to create a service keytab.
- 9am - 5pm on weekdays: the service operates with full technical support.
- All other times: the service operates without technical support. Automated service monitoring will take place, and informal arrangements exist for staff to be notified of exceptions, however no funding is provided for contractual cover or guaranteed response.
- Exclusions: service maintenance carried out during the JANET maintenance period (7am - 9am every Tuesday).
2.7 Software updates are applied by OUCS staff – this is done with the minimum of interruption to service. Any scheduled downtime for maintenance or upgrade will be notified at least 24 hours in advance.
2.8 Information for departmental and college system administrators is given at http://www.oucs.ox.ac.uk/webauth/howto.xml.
2.10 Webauth faults affecting Webauth-protected systems should be reported to firstname.lastname@example.org. OUCS will liaise with department and college computing officers: no end-user support is provided.
2.11 Problems encountered by individual users in authenticating themselves are generally caused by invalid or expired information in the underlying databases, and should be reported to email@example.com, or to the IT Support in the unit responsible for supplying the service accessed through Webauth.
3.1 Departments and colleges wishing to use these services must follow the instructions at http://www.oucs.ox.ac.uk/webauth/howto.xml.
3.2 End-users are responsible for maintaining the security of their Single Sign-on password, and in particular for ensuring that authenticated sessions are not left in operation unattended or after the user has finished using them.