1. What is Webauth?

Webauth is a system developed at Leland Stanford Junior University providing single sign-on for web based services. Single sign-on means that users of Webauth authenticated services, enter a username and a password only once (per session) to a central login server. Any further access to other Webauth based services are automatically and securely authenticated without the user being aware that this has happened.

Webauth is currently implemented as an authentication module for Apache 2. Given an SSL based Apache 2 server it is very easy to configure a Webauth protected service.

Webauth is currently based around (but not limited to) Kerberos 5, a general network single sign-on system developed at MIT. In essence Webauth encapsulates Kerberos tickets into cookies which, when unpacked by the server, provide proof of the identity of the user of the connecting browser.

Webauth protected services never need to see the password of the user because they make use of a trusted third party to verify the identity of the user. The advantage of this is that compromise of a single Webauth protected service does not automatically lead to password compromise for all other Webauth services.

Up: Contents Next: 2. How does it work?

Sections in this document: