The UW Web Authentication Service uses Pubcookie to leverage centrally maintained UW NetIDs and passwords in order to provide single sign-on authentication to Web servers across the University of Washington network.
In order to be granted access to restricted services and information on the Web, users need to prove their identities by authenticating themselves to Web-based applications. Usually each user does so by providing authentication credentials (e.g., login name, password, SecurID) to each application. However, repeatedly entering these credentials via Web pages and dialog boxes is a nuisance and also increases the likelihood that they may be intercepted or provided to illicit applications. It is also onerous for users to keep track of multiple sets of credentials, one for each application, simply because the applications do not share authentication mechanisms. Additionally problematic is the redoubling of efforts by Web developers and server administrators to maintain these login names and passwords and implement custom authentication mechanisms.
The UW Web Authentication Service uses Pubcookie to leverage the university's existing Kerberos and SecurID infrastructure in order to provide an alternative to less secure, less integrated authentication mechanisms for applications hosted on different UW Web servers throughout the UW.
The UW Web Authentication Service consists of two main components:
UW NetID "weblogin" service (weblogin.washington.edu), which verfies credentials entered by users (UW NetID, password, and SecurID number somtimes), issues authentication assertions to application servers, and displays logout messages when requested.
Pubcookie installation guides, for Apache and Microsoft IIS Web servers, which provide step-by-step instructions for installing Pubcookie on application servers at the UW and thereby enable them to authenticate users via the "weblogin" service.
The "weblogin" service allows users to become familiar with a single login page, with a recognizable URL address, where they can safely enter their credentials. A Web browser that supports cookies and Secure Sockets Layer is all they need to use this service.
The Pubcookie software distributions allow Web application developers to authenticate, without additional programming, any user with a UW NetID. There are minimal requirements for Web applications and servers that want to use Pubcookie for authentication.
Although the UW Web Authentication Service is an important piece of Web security infrastructure at the University of Washington, it still requires users to enter credentials on a Web page at the start of each new session. In the future, other technologies, such as client certificates, may help to reduce even further the number of times users have to authenticate. But until other methods are available, proven, and widely accepted, the university will continue to support the Web Authentication Service.
