WebAuth 3.5.0 Announcement
The ITS WebAuth team is pleased to announce Stanford WebAuth 3.5.0. This release is a significant update to the weblogin portion of the WebKDC, and also changes the default setting for WebAuthExtraRedirect.
Before upgrading the WebKDC and weblogin server to this release, be sure to read the new weblogin configuration and page flow documentation. Existing weblogin templates will require modification to work with the new weblogin server code.
For documentation and downloads of WebAuth 3.5.0, see:
We have not yet updated the versions of the binary packages for Solaris but do plan to build them for this release. A separate announcement will be posted when that work is finished.
The user-visible changes in this release are:
Rename the template variables used by the weblogin templates to be a bit more consistent and add an error variable to the login template that is set whenever there was any error. Existing weblogin templates will require modifications. See doc/weblogin-config for the new configuration and customization documentation.
Sometimes an Apache authentication mechanism should only be attempted if the user explicitly requests it since it may fail in a way that doesn't allow weblogin to proceed. SPNEGO is an example, since it has bad behavior with some browsers. Implement weblogin script support for the required more complex page flow and additional template variables.
Document in detail how to configure the weblogin front-end, including all of the template variables used and the configuration variables that can be set in /etc/webkdc/webkdc.conf.
Document in detail the page flow for the weblogin script and the variables it uses when rendering page templates.
WebAuthExtraRedirect is now the default. If you don't want this behavior, you now need to turn it off explicitly in the Apache configuration.
WebAuthExtraRedirect is now accepted at the server and virtual host level as well as in <Directory> and .htaccess files.
In the WebKDC installation instructions, stop recommending that the WebkDC /webkdc-service URL run on a different port than the regular SSL port. There's no reason why it and the weblogin service can't both run on the regular SSL port.
Preliminary port to Heimdal 0.6 (0.7 was previously supported). This has not yet been well-tested.