View on GitHub

University Account authentication

On this page

Overview

You can configure your site, or a subset of pages, to require user authentication with a University Account (formerly known as Raven).

With .htaccess using Ucam-WebAuth

Legacy Raven is being retired in December 2024, which means Ucam-WebAuth will no longer be an option to directly authenticate University Accounts against the official university-provided service.

The SRCF hosts Nevar, an alternative service which allows site visitors to authenticate with their University Account over a university-supported protocol (OAuth2), and allows websites to continue requesting authentication information via Ucam-WebAuth. This replacement service will be made the default on the SRCF webserver when Legacy Raven is switched off, in order to maintain site availability.

The SRCF has the mod_ucam_webauth module installed, which makes it easy to do basic authentication using Raven. Full documentation is available, though here are a few common cases.

To protect a directory (whether public_html for your entire site, or a subdirectory of it), create or edit a .htaccess file in that directory, and add the following:

AuthType Ucam-WebAuth
Require valid-user

This will permit access to anyone with a ‘current’ Raven account, i.e. active students and staff. To permit access to any Raven account (including graduated students), add a Ptags directive:

AARequiredPtags none

Alternatively, you may want to limit access to Raven-authenticated users or visitors within the cam.ac.uk domain:

Order allow,deny
Allow from .cam.ac.uk
AuthType Ucam-WebAuth
Require valid-user
Satisfy any

To limit page access to group account admins only, add a unix-group Require directive:

Require unix-group <groupname>

You can also list specific users:

Require user <crsid> <crsid>...

To create a ‘logout’ link, add the following to your .htaccess file (which will create /logout relative to the directory containing the .htaccess file):

<FilesMatch "logout">
    SetHandler AALogout
</FilesMatch>

You can access a Raven-authenticated user’s CRSid using the REMOTE_USER (or AAPRINCIPAL) environment variables. For example, adding the following to a PHP page like index.php will display a customised welcome message on login:

<?php
echo "Hello {$_SERVER['REMOTE_USER']}!"
?>

Example configuration

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent]

AuthType Ucam-WebAuth
Require user CRSID

Replace CRSID with your CRSID.

The Rewrite section makes all connections to .../wp-admin/ use SSL which will protect your password, the AuthType section uses Raven to restrict access to the directory, you probably want to use your CRSID on the Require line.

A file beginning with a . is a hidden file on unix. If you are using the gnome graphical desktop then pressing Ctrl-h in nautilus (the default file browser) will show hidden files. (If you are using something else you should be able to work out what to do.)

Within an application

If you’re writing or maintaining a webapp that needs to authenticate users for certain pages, you’ll likely need a Raven, Ucam-WebAuth or OAuth2 library.

The Raven developer documentation may be useful for finding a suitable integration.

Last modified on Sunday Nov 10, 2024 by Richard Allitt