Last nice I came across Stanford’s WebAuth site again, and this time took a second look at it. Couple of things I noticed:

  • Interfaces with Kerberos or Shibboleth (actually I think Kerberos might be needed on both)
  • Reminds me somewhat of OpenID - one "server" required, many "clients"
  • Uses cookies for "single sign-on" capabilities
  • Hooks / modules exist for Apache, LDAP, Cyrus SASL, and CURL

Questions to answer:

  • Do the "client sites" that hook back into the WebKDC need to networked to each other?
  • What does KDC stand for?

I use Cyrus SASL in my mail servers, and CURL in some of my PHP implementations, and I defintely use Apache all the time in many instances. I’ve experimented with LDAP and would love to get it more integrated with our operations, but I just haven’t gotten a firm enough grasp of it. And from the community side, it seems to have solid but slightly waning support as a protocol - its respected but not widely popular. Why is that I wonder? Am I missing something?

stanford.edu/services/webauth/