Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

Multiple themed WebAuth frontends

Russ Allbery eagle at
Wed Oct 24 09:21:29 PDT 2012

Rafael Hinojosa <rhinojos at> writes:

> We're running WebAuth, both the webkdc & webauth modules on an Ubuntu
> running Apache/2.2.14 (Ubuntu).

> We're using WebAuth for protected web pages (webauth) & for our
> authentication part of our Shibboleth IdP
> (shibboleth-identityprovider-2.3.5).

> I'd like to configure a differently themed WebAuth login page for a
> different Shibboleth enabled application and would like to know...

> Is there a way for me to simply reference a theme in the login URL
> defined in my Shibboleth config (like say in relaying party), or will I
> need to create a separate Apache host to point to which will use a
> different theme?

There currently isn't a clearly-documented way to do this, but it would be
possible to do with some minor modifications to the login.fcgi script.

All of the theming for WebLogin is done via the page templates (and of
course any CSS or other files that they reference).  Those page templates
are defined in login.fcgi:

# The names of the template pages that we use.  The beginning of the main
# routine changes the values here to be Template Toolkit objects.
our %PAGES = (confirm     => 'confirm.tmpl',
              error       => 'error.tmpl',
              login       => 'login.tmpl',
              logout      => 'logout.tmpl',
              multifactor => 'multifactor.tmpl',
              pwchange    => 'pwchange.tmpl');

and similarly in logout.fcgi and pwchange.fcgi.  The relative paths are
resolved inside the WebLogin Perl module to be relative to
$WebKDC::Config::TEMPLATE_PATH, which in turn is loaded from

There are therefore a couple of ways that you can do this, since you can
intercept any part of that chain and change which templates are used.  The
easiest thing to do would probably be to make a copy of the login.fcgi
script, and, at the start of the script, add:

    $ENV{WEBKDC_CONFIG} = '/etc/webkdc/webkdc-alt.conf';

(or whatever path you want to use).  If the WEBKDC_CONFIG environment
variable is set, WebLogin will load that file instead of the default
/etc/webkdc/webkdc.conf.  You can then, in that alternate configuration,
set TEMPLATE_PATH to some other directory.

Then, add a separate URL in your Apache configuration pointing to that
version of login.fcgi (and likewise for logout.fcgi and pwchange.fcgi if
you want to retheme the entire experience, although for most purposes you
can probably leave those with the default theme), and, for the host that
you want to have use the separate theme, change the WebAuthWebKdcLoginURL
setting to point to that new login URL.

I'm recommending making a copy of the script just because it might be a
bit easier to see the flow and debug it, but note that it would be
possible to do this entirely in the Apache configuration using mod_env to
set the WEBKDC_CONFIG environment variable in a <Location> block for the
alternate-themed login URL, if you didn't want to make a copy of the
script.  That might be an even better approach, since then you won't have
to worry about updating your copy of login.fcgi if anything changes about
the script included with WebLogin.  (Although it's a fairly simple
wrapper, it has changed a few times.)  You may want to start by making a
copy of the script and getting that working first, and then switch over to
setting the environment variable inside Apache once the basic flow is

Russ Allbery <eagle at>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University

More information about the webauth-info mailing list