Skip navigation

STANFORD UNIVERSITY

INFORMATION TECHNOLOGY SERVICES

Minimal WebAuth Configuration

The following Apache configuration fragment is a sample minimal configuration for a WebAuth server, similar to the one given in the installation instructions but with comments explaining each step of what's going on.

In the Webauth v3 model, each WebAuth server has to talk to a central authentication server called the WebKDC, both to send users to the login server and to be able to interpret the tokens that it returns. Some of the directives below are needed to facilitate that behind-the-scenes communication.

# The Webauth module is built as a dynamic module by default.  This loads
# it into Apache.
LoadModule webauth_module modules/mod_webauth.so

# Location of the server's private AES keys, used for communication with
# the WebKDC.  Generated and maintained automatically, so it must be
# writable by the Apache server process.
WebAuthKeyring conf/webauth/keyring

# Location of the server's Kerberos v5 keytab.  You need to generate this
# file as part of the installation.
WebAuthKeytab conf/webauth/keytab

# Location of where the service tokens are kept.  These tokens are used to
# authenticate internal communication with the WebKDC.  This file has to
# be writable by the Apache server processes.
WebAuthServiceTokenCache conf/webauth/service_token_cache

# Where the user is redirected to enter username/password.  This is part
# of the site configuration and will be provided by the person who sets up
# the WebKDC for your site.  Stanford users should replace webkdc with
# weblogin.stanford.edu.
WebAuthLoginURL https://webkdc/login/

# URL used for behind-the-scenes communication with the WebKDC.  As above,
# this is part of the site configuration.  Stanford users should replace
# webkdc with weblogin.stanford.edu.
WebAuthWebKdcURL https://webkdc/webkdc-service/

# The service name to use when communicating with the WebKDC.  The below
# is just our recommendation.  The principal name is part of the site
# configuration.
WebAuthWebKdcPrincipal service/webkdc

# This file is only needed if your WebKDC is using a self-signed
# certificate.  Stanford users should not need to set it.  For those that
# are, you should copy that certificate (the file mentioned in the
# WebKDC's Apache SSLCertificateFile directive) to a local file, and point
# to that file with this directive.
#
# WebAuthWebKdcSSLCertFile conf/webauth/webkdc.cert

# Anyone who tries to access a WebAuth-protected page via HTTP rather than
# HTTPS should be redirected to HTTPS.
WebAuthSSLRedirect on

# If you are having trouble getting WebAuth to run, you should turn on
# debug.
#
# WebAuthDebug on

# If you are really have trouble getting WebAuth to run, you should turn
# on debug, and also enable the /webauth-status URL, then point your
# browser at it to check on the status of mod_webauth.  You should turn
# off the webauth-status URL when you are done.
#
#<Location /webauth-status>
#   SetHandler webauth
#   Order allow,deny
#   Allow from all
#</Location>

# Example of restricting a location to authenticated users only.  If
# uncommented, all URLs under /private/ would require WebAuth
# authentication to access.
#
#<Location /private/ >
#    AuthType WebAuth
#    Require valid-user
#</Location>

# Example of a logout page for a particular application.  (Note that even
# if the user goes to this page, they will still have their site-wide
# single sign-on cookie, so they will not be completely logged out.  This
# will only destroy their credentials for that particular application.)
# There should also be a web page that this URL corresponds to; WebAuth
# will not generate one internally.
#
#<Location /logout/ >
#    AllowOverride All
#    WebAuthDoLogout on
#</Location>
Last modified Friday, 12-Dec-2014 02:31:11 PM

Stanford University Home Page