WebISO: Web Application Agent (WAA) Questionnaire

Pubcookie 3.0
http://www.pubcookie.org
November 23, 2002

1. Model & Capabilities of the Web Authentication Agent (WAA)
   1.1 Which high-level integration model(s) does your WAA support?
   [x] Server module
       [x] Apache 1.3
       [ ] Apache 2.0
       [ ] Java Servlet
       [x] Microsoft ISAPI
       [ ] Other
   [ ] Developer's API
       [ ] C/C++
       [ ] Java/JSP
       [ ] Perl
       [ ] Python
       [ ] Other

   1.2 If applicable, describe the method(s) your
       WebISO solution provides for the WAA to handle 
       N-tier (proxied, delegated) authentication:

Pubcookie has an experimental facility that can give a single delegated
Kerberos ticket to a web application simultaneously with its
authentication assertion. This facility currently requires Kerberos 5, but
we plan to make it more general in future releases. 

2. Authentication Request
   2.1 Describe the API your WAA provides to Web
       applications to initiate authentication.
       What functions can it invoke? What parameters
       can it pass?

Authentication is initiated by the Pubcookie server modules on behalf of
an application.

   2.2 Describe any other options your WAA provides
       to Web applications to influence the authentication
       process.  For example, can it request the
       technology or policy used to handle authentication?

Web applications can configure the Pubcookie server modules to:

 - require reauthentication (i.e., avoid single sign-on)
 - request a specific "authentication type" that may correspond
   with a specific policy, technology, etc. on the weblogin service.
   Pubcookie 3.0 includes two authentication types, called "flavors" in
   Pubcookie terms: a "basic" one (username, password, optional realm) and 
   a "getcred" type that delegates a credential in addition to the
   authentication.

3. Authentication Delivery
   3.1 Describe the information delivered by your
       WAA to Web applications:

	 3.1.1 What user information is provided to the
          application? What is the format?  How does it
          relate to the identifier presented to the
          verification backend?

A username (or username@realm) is provided to Web applications.

       3.1.2 Does the WAA deliver additional user attributes
          (e.g., lookup key value associated with login
           identifier, studentid, group membership)? What is
           the format of this?

No. Pubcookie currently provides authentication information only.

       3.1.3 Can additional information be delivered on request?

No. Pubcookie currently provides authentication information only.

   3.2 Describe the means by which your WAA provides
       authentication information to your application.
       Please be as specific as possible.

The username is provided to Web applications through an environment
variable: REMOTE_USER on Apache, PUBCOOKIE_USER on Microsoft IIS.

4. Authentication Session
   4.1 Briefly describe how authentication session
       information is maintained (if not already covered
       in section 2 above):

The Pubcookie server module uses a session cookie to maintain a Web
application's authentication session. Separately, the Pubcookie login
server maintains a cookie to maintain a user's single sign-on session.

   4.2 Is it possible to for an application to set the
       session duration?  If not already covered above,
       please describe:

Yes, via the configuration of the Pubcookie server modules, a Web
application can set the session duration. This can be a maximum duration
("hard timeout") or a specific duration of user inactivity ("inactivity
timeout").

   4.3 Is it possible to terminate authentication session
       globally? How is that information conveyed to the
       application?

No, not globally (see "wish list"). But, via configuration of the
Pubcookie server module's, a Web application can terminate its own session
and, optionally, the user's single sign-on session with the weblogin
service.

5. Messaging (Weblogin Service (WLS) <-> WAA)
   5.1 Describe the message format used between your
       WAA and weblogin service to request and
       receive authentication information:

Fixed-length proprietary format encoded into a cookie.

   5.2 Describe the protocol used by the WAA to handle
       the above (e.g. SAML POST Profile):

The Pubcookie server modules use a Set-Cookie: header and HTML
"meta-refresh" to direct the user between Web application and WLS.

6. Wish List
   6.1 What changes or additions to the services provided
       by the WAA would you like to see in your system?

 - initiate global/comprehensive logout
 - communicate single sign-on session information to applications
 - avoid prompting the user (simply redirect back if the user hasn't
   already logged in)
 - application-specific co-branding of login page
 - application API support
 - enabling sites to pass more information than just a username

6.2 At a high level, what other changes would you like to
    see in your system?

 - replace current messaging format and mechanisms