Title of Service: The Webauth Authentication System
Status of Document: This document describes services offered in June 2011.
Webauth is a system providing single sign-on for web based services. Single sign-on means that users of Webauth-authenticated services enter a username and a password only once (per session) to a central login server. Any further access to other Webauth-based services is automatically and securely authenticated without further interaction by the user.
Webauth is currently based around Kerberos, a general network single sign-on system. Webauth encapsulates Kerberos tickets into cookies which, when unpacked by the server, provide proof of the identity of the user of the connecting browser. Webauth-protected services never need to see the password of the user, because they make use of a trusted third party to verify the identity of the user. Departments and colleges can set up their own protected services, using the central Webauth system.
This service is provided for use by registered ITSS wishing to authenticate Oxford users visiting their web services.
Overview of Service
2. Summary of OUCS’s responsibilities
Hours of Service
2.1 The service is offered as follows:
2.2 OUCS will commence investigation of reported faults within one hour when full technical support is available (provided that no similar fault is already being handled by the same team).
Service Level Targets
2.3 It is intended, as far as is possible, to maintain service availability at all times apart from exclusions listed under 2.1, however there are no formal targets.
2.4 The Webauth service runs on a cluster of four servers, spread across two geographical sites in Oxford and connected by two separate network routes, to provide a high degree of resilience.
2.5 There are many methods of providing protected access to services: this is the only University shared service providing central web-based authentication.
Hardware and Software Maintenance
2.6 The machines used are maintained under warranty by the supplier.
2.7 Software updates are applied by OUCS staff – this is done with the minimum of interruption to service. Any scheduled downtime for maintenance or upgrade will be notified at least 24 hours in advance.
Administration and Support
2.8 Information for departmental and college system administrators is given at http://www.oucs.ox.ac.uk/webauth/howto.xml.
2.9 Notification of faults, outages, etc is circulated on the mailing list email@example.com and notified via the OUCS Status page.
2.10 Webauth faults affecting Webauth-protected systems should be reported to firstname.lastname@example.org. OUCS will liaise with department and college computing officers: no end-user support is provided.
2.11 Problems encountered by individual users in authenticating themselves are generally caused by invalid or expired information in the underlying databases, and should be reported to email@example.com, or to the IT Support in the unit responsible for supplying the service accessed through Webauth.
3. Summary of client’s responsibilities
3.1 Departments and colleges wishing to use these services must follow the instructions at http://www.oucs.ox.ac.uk/webauth/howto.xml.
3.2 End-users are responsible for maintaining the security of their Single Sign-on password, and in particular for ensuring that authenticated sessions are not left in operation unattended or after the user has finished using them.
4. Premium services