Cookie based web authentication and single sign on system designed for largish intranets under a single domain where many people run their own webservers. It is also quite useful for providing single sign on for sets of local web applications. Any application that supports Apache REMOTE_USER authentication (e.g. Apache Basic authentication) can be configured to work with idcheck.
On first connection, an untrusted webserver redirects new requests for restricted pages to the idcheck server (to be authenticated). The idcheck server takes and checks the users credentials and, if successful, redirects the users browser back to the page they requested. As it redirects, the server installs a private cookie (scoped only for the idcheck webserver) and a second cookie that acts as a session cookie for the untrusted webserver (which is checked for validity, over http against the idcheck server) when downloading subsequent pages.
When the user accesses another webserver that also has idcheck restricted pages he does not need to enter his credentials again because of the private idcheck cookie indicates that he has already authenticated and so can bypass the login form. This provides a single sign on environment for multiple webservers in a single domain.
In addition, The mechanism provides detailed, filtered, data about the user to other webservers so that they can make fine grained access decisions. For example, with idcheck and a suitable authentication source (e.g. an LDAP server) it is possible to restrict certain areas of websites to individuals or groups of individuals (e.g. those in the same department).
This package contains the following components:
The entry (out of date) in the apache modules registry is here. There is also a FAQ, a brief summary, a diagram of basic operation (PDF/SVG) and some SHA1 file checksums.
Packages for Fedora can be built with 'rpmbuild -ta idcheck-X.Y.Z.tar.gz'. That might work on other similar distributions. I have some contributed notes on how to debianize these.
Recently a version of the idcheck client in PLT Scheme was released by untyped.com. It is maintained by untyped.com and is not part of the main distribution.
The software has been released under the GPLv2. Please send comments/bugs (or reports of successful installation!) to m.d.t.evans-idcheck@qmul.ac.uk.