The University of Hawaii's Web Login Service is provided only for use by the University of Hawaii (UH) System. It provides a secure trusted site for users to authenticate to (i.e., provide their username and password) without fear that a web site is going to collect their password. The web site never sees the user's password but does get the user's UH username to identify the user.
This document is intended to provide basic information about this service. Questions may be directed to the ITS IAM group. If your site is using the Web Login Service, please subscribe to the mailing list, UH-WEB-LOGIN-L@hawaii.edu, by going to https://listserv.hawaii.edu/ so that you can be kept informed about things that may affect your site. Please take a look at the PDF document for UH Subscribers on that site for how to subscribe yourself.
When a user visits a web site that requires authentication, the web site redirects the user to the Web Login Service. This is done by having a front page that provides a link to login securely. Figure 1 is an example.
Figure 1. Web site with secure login link
At the Web Login Service, the user will supply their UH username and password to authenticate themselves via the login form (see Figure 2). Once authenticated by the Web Login Service, the user is sent back to the original web site with a one-time-use token. The token is used by the original web site to find out what the user's UH username is. This is done by asking the Web Login Service to validate the token.
Figure 2. Web Login form
A web site that requires users to authenticate will keep track of a user's session. It usually provides a way for a user to logout or terminate their session.
The Web Login Service also provides a single signon feature that automatically logs in a user to all web sites that use the Web Login Service. This feature is enabled for users if their browser accepts cookies from the Web Login Service are accepted. It lasts until the user closes their browser or two hours have elapsed since the last time that the use authenticated to the Web Login Service.
As a safety feature, users can asked to be warned that they're being automatically logged into a new web site. On the login form above, they can check the checkbox that says, “Warn me before logging me in to other sites.”. The next time that a user goes to a web site that uses the Web Login Service, they will see this warning screen from the Web Login Service.
Figure 3. Web Login form
The single signon on feature can also be revoked by a web site by redirecting the user to the Web Login Service's logout URL. Once sent there, the user will be notified that they have been logged out by the Web Login Service. The next time that they visit a web site that uses the Web Login Service they will be asked to authenticate themselves.
Alternatively, you can force the user to login whenever they click on the link to login securely. This way you are explicitly overridding the single signon feature. To do this, see the Web developer's documentation.
The cookie sent by the Web Login Service do not contain any private information about the user. Neither the user's UH username nor password are stored in any cookie coming from the Web Login Service. SSL provides an additional safeguard by preventing eavesdropping of the cookies being sent between the Web Login Service and the user's browser.
Documentation for Web application developers is available in the file, 0-web-developers.txt.
The documentation includes two demo scripts; ASP and PHP. They should provide a start to using the Web Login Service. The PHP demo script gives you a good example of how to structure your web app to take advantage of the Web Login Service for single signon and how to disable single signon.
You should always have your main page display the link to the Web Login Service with some wording to the user about the use of the Web Login Service. This is to firmly establish in the user's mind the use of a well-known secure site where they can present their credentials (i.e., password) safely. More importantly, your users can bookmark a safe URL independent of the Web Login Service's URL.
Upon validating the service ticket, redirect the user back to your service URL so the the service ticket is no longer part of the URL that the user ends up on. This will allow the user to bookmark a page (URL) that won't cause looping between your site and the Web Login Service. Be kind to your users.
CAUTION: The Web Login Service will authenticate anyone in the UH Core LDAP Directory Service. This includes all current people in UH System as well as visitors managed by VIA (Visitory Internet Access) for UH. Therefore, all developers must authorize users that login to ensure that information is not released to the wrong parties. Please refer to the Web Developer's documentation for details.
The Web Login Service uses a modified version of the Central Authentication Service (CAS) open source software from Yale University which has become a project under JA-SIG. Documentation for CAS is available at:
http://www.ja-sig.org/products/cas/
However, do not ask Yale or JA-SIG for support with regards to the Web Login Service as they do not know what changes we have made. Use their site for the information about the original distribution.
The old look of the Web Login form was retired as of November 10, 2008. The new look of the login form marks the introduction of a multi-level login process for web applications that need a higher level of security in identifying (authenticating) users.
Figure 4. Old Web Login form as of 11/10/08
This is the original look of the Web Login form that was retired as of August 1, 2007 with the use of a non-standard HTTPS port, 8445.
Figure 5. Old Web Login form as of 07/19/07
