WebAuth 3.0.0 Announcement
The ITSS WebAuth team is pleased to announce the beta release of Stanford WebAuth version three, a completely rewritten implementation of Stanford's web authentication system.
This release is fully functional for basic authentication (establishing the SUNet ID of someone visiting a web site). Additional capabilities will be added in subsequent releases. The intention of this initial release is to provide a working system for clients to begin evaluating for their needs, to obtain feedback from the Stanford community on the new system, and to begin the gradual process of migration to the new system.
For documentation and downloads of WebAuth 3.0.0, see:
Among the features of this new version of WebAuth are:
The underlying protocol has been completely redesigned to improve security and to work more smoothly for clients behind NAT or in other situations where S/Ident is not helpful. It is now based on Kerberos v5 instead of Kerberos v4, and is extensible to allow for other authentication protocols in the future.
Users will only have to enter their username and password into the weblogin server once per session, unless they are accessing an application that needs extra, higher security. Currently, users who have to use weblogin have to enter their username and password again for every site that they visit.
The code has been completely rewritten and is now available as free software. Anyone can download the WebAuth source, read it, port it to their own preferred operating system, or compile it for their particular server environment. The source distribution follows the standard configure, make, make install model for installing Unix software packages.
WebAuth is now implemented as Apache 2.0 modules, allowing us to move to the current and best supported version of the Apache web server.
The complete WebAuth protocol specification is available, and the WebAuth documentation has been greatly improved (although we're still actively working on the documentation and will be improving it further in the coming months).
The following portions of our current WebAuth system are not yet implemented in WebAuth 3.0, but will be coming in the future:
Directory information will be obtained from the new OpenLDAP directory server via Kerberos v5 authentication, but the new directory server is not yet ready for production applications. A subsequent release of WebAuth with LDAP support is currently scheduled for spring break.
WebAuth 3.0.0 does not support S/Ident authentication, only authentication via weblogin (although this only has to be done once per session, as mentioned above). There are some plans for adding support for a Kerberos v5 version of S/Ident, but due to the difficulties with NAT and firewalls the S/Ident authentication protocol is much less central to the design of WebAuth v3.
If you are running a WebAuth server currently, you are encouraged to take a look at WebAuth v3 and start learning about how it works, since there are significant architectural differences from the current WebAuth system. However, if your application relies on LDAP directory information, you will not be able to migrate fully to WebAuth v3 yet.
Any feedback on WebAuth v3 can be submitted via HelpSU. Please let us know about any problems that you encounter or any portions of the documentation that you find unclear, and we will attempt to address those problems in upcoming releases.
A full production release of WebAuth v3, including LDAP support and suitable for migrating any existing WebAuth application, is currently scheduled for spring quarter, depending on the status of the new OpenLDAP directory service.