Webauth

• Webauth developed at Stanford
• Kerberos 5 requires 'smart' client, web browsers are not in general smart enough.
  • Instead use a Webauth "KDC" passing tokens encoded in URLs and cookies
• The players:
  • User Agent (UA)
  • Webauth enabled Application Service (WAS)
  • WebKDC
• Initial Sign On:
  • UA requests a protected page from WAS
  • No cookie presented to WAS, redirects to WebKDC
  • No cookie presented to WebKDC, presents a login form
  • Success? WebKDC sets a cookie, confimation page links back to WAS with credentials in the URL
  • WAS extracts credentials, sets cookie, presents page
  • UA visits another protected URL on the WAS, presents cookie
  • WAS verifies cookie, presents page
• Single Sign On:
  • UA requests protected page from another WAS
  • No cookie presented to WAS, redirects to WebKDC
  • UA presents cookie to WebKDC, verifies, presents confirmation page
  • WAS extracts credentials, sets cookie, presents page
  • etc
• Webauth protected services:
  • https://portal.ox.ac.uk/protected/
  • https://kwiki.oucs.ox.ac.uk/sysdev/
• How to set up a Webauth protected service at Oxford
• Simple krb5.conf
• Apache2 config