Title of Service: The Webauth Authentication System

Status of Document: This document describes services offered in June 2011.

1. Introduction

Webauth is a system providing single sign-on for web based services. Single sign-on means that users of Webauth-authenticated services enter a username and a password only once (per session) to a central login server. Any further access to other Webauth-based services is automatically and securely authenticated without further interaction by the user.

Webauth is currently based around Kerberos, a general network single sign-on system. Webauth encapsulates Kerberos tickets into cookies which, when unpacked by the server, provide proof of the identity of the user of the connecting browser. Webauth-protected services never need to see the password of the user, because they make use of a trusted third party to verify the identity of the user. Departments and colleges can set up their own protected services, using the central Webauth system.

This service is provided for use by registered ITSS wishing to authenticate Oxford users visiting their web services.

Overview of Service

  • Provision of infrastructure for web-based SSO authentication of Oxford SSO account holders to registered ITSS within Oxford University.
  • Registered ITSS wishing to use this service may contact sysdev@it.ox.ac.uk to request the Kerberos principals required to create a service keytab.

2. Summary of OUCS’s responsibilities

Hours of Service

2.1 The service is offered as follows:

  • 9am - 5pm on weekdays: the service operates with full technical support.
  • All other times: the service operates without technical support. Automated service monitoring will take place, and informal arrangements exist for staff to be notified of exceptions, however no funding is provided for contractual cover or guaranteed response.
  • Exclusions: service maintenance carried out during the JANET maintenance period (7am - 9am every Tuesday).

2.2 OUCS will commence investigation of reported faults within one hour when full technical support is available (provided that no similar fault is already being handled by the same team).

Service Level Targets

2.3 It is intended, as far as is possible, to maintain service availability at all times apart from exclusions listed under 2.1, however there are no formal targets.

Disaster Recovery

2.4 The Webauth service runs on a cluster of four servers, spread across two geographical sites in Oxford and connected by two separate network routes, to provide a high degree of resilience.

Alternative Facilities

2.5 There are many methods of providing protected access to services: this is the only University shared service providing central web-based authentication.

Hardware and Software Maintenance

2.6 The machines used are maintained under warranty by the supplier.

2.7 Software updates are applied by OUCS staff – this is done with the minimum of interruption to service. Any scheduled downtime for maintenance or upgrade will be notified at least 24 hours in advance.

Administration and Support

2.8 Information for departmental and college system administrators is given at http://www.oucs.ox.ac.uk/webauth/howto.xml.

2.9 Notification of faults, outages, etc is circulated on the mailing list itss-announce@maillist.ox.ac.uk and notified via the OUCS Status page.

2.10 Webauth faults affecting Webauth-protected systems should be reported to sysdev@it.ox.ac.uk. OUCS will liaise with department and college computing officers: no end-user support is provided.

2.11 Problems encountered by individual users in authenticating themselves are generally caused by invalid or expired information in the underlying databases, and should be reported to registration@oucs.ox.ac.uk, or to the IT Support in the unit responsible for supplying the service accessed through Webauth.

3. Summary of client’s responsibilities

3.1 Departments and colleges wishing to use these services must follow the instructions at http://www.oucs.ox.ac.uk/webauth/howto.xml.

3.2 End-users are responsible for maintaining the security of their Single Sign-on password, and in particular for ensuring that authenticated sessions are not left in operation unattended or after the user has finished using them.

4. Premium services

Not applicable.