We're working on improving Raven resources for developers and site operators.

Try out the new Raven documentation for size.

The WebAuth protocol should not be used for new sites or applications.

The Raven Project

These pages provide resources for people interested in using the Raven Web Authentication service http://raven.cam.ac.uk/. They concentrate on resources representing the 'officially supported' aspects of the service. Other information that was previously here, and lots of new stuff, is in the Raven Wiki.

The 'officially supported' service consists (roughly) of the central Raven authentication server (and associated user registration infrastructure and keys) supporting both Ucam WebAuth and Shibboleth (SAML) authentication, two Ucam WebAuth application agents (an Apache module and a Java toolkit), the Raven mailing lists, and support and development resources (including the 'Test and Demonstration' server). Don't let this put you off investigating the many other Raven-related resources listed in the Wiki.

Application Agents

To use Raven authentication on a web server it needs some sort of 'Application Agent' to impliment the Raven functionality. This could be built-in to a web application (such as a PHP or CGI script or a Java program - for so-called "application managed" security), or it could be an 'Authentication handler' for the web server that you are using ("container managed" security).

University Information Services maintains and supports:

Various other Application agents developed by various people are listed on the Wiki's Application agents page. The Shibboleth (SAML) interface to Raven will work with suitably-configured SAML agents - the SP agent supplied by the Shibboleth Consortium is known to work with Raven.

An Ucam WebAuth authentication module for IIS 6 is also available, but it doesn't work with later versions of IIS and so should be considered obsolete.


Ucam WebAuth Application Agents need access to the current Raven public keys in order to verify authentication responses. They are available in the keys directory.

Mailing Lists

There are two mailing lists for people interested in Raven:

  • cs-raven-announce which carries announcements about the Raven service and developments and is intended to be low-volume. Anyone using Raven on a web site that they administer should probably be subscribed to this list.
  • cs-raven-discuss which is for discussing use and development of software that interacts with Raven, and of general issues arising from using it.
  • Follow the links above, or send a message to cs-raven-announce-request@lists.cam.ac.uk or cs-raven-discuss-request@lists.cam.ac.uk with the word `help' in the subject or body for more information.

    Support Services

    Anyone administering a Raven-using server or developing Raven-related software is welcome to contact UIS Raven administrators at raven-support@ucs.cam.ac.uk with queries or comments. However, consider sending Raven-related messages to the cs-raven-discuss mailing list instead. Sending messages to the list allows others to benefit from any discussion and may spark additional ideas. The Raven administrators are members of this list.

    Users with Raven-related problems should normally contact the administrators of the relevant Raven-protected service in the first instance. Failing that they should contact the UIS Service Desk.

    Development Resources

    Raven operates an instance of the 'University of Cambridge Web Authentication System' (Ucam-webauth). An introduction to how it works is included in the main Raven service documentation. The protocol used for communication between web servers and the Raven Ucam WebAuth server is documented in The Cambridge Web Authentication System: WAA->WLS communication protocol (currently version 4.1 -- copies of older versions are available: 4.0, 3.0, 2.0, 1.6, 1.4, 1.3, 1.1, and on github).

    There is a Pseudo-code Application Agent available which provides an example of how an application agent could be coded.

    As well as the production server, a second test and demonstration Raven Ucam WebAuth server, populated with 500 test accounts with fixed, well-known passwords is provided to assist in developing, testing or demonstrating Raven-enabled services.

    The Raven server currently includes a test page which simulates various requests to the authentication server and displays decoded versions of the resulting response. Note that this page exercises some features of the protocol (in particular multiple authentication types) that are not currently used.

    Other software

    Some third-party Raven software is distributed from here for convinience but is described in the Wiki. This includes:

    Usage statistics

    Various graphs showing analysed usage information are available:

    Summaries of the Summaries of the Raven/Wbauth and Raven/Shibboleth usage logs are also available.


    A translation of this page to Serbo-Croatian has been contributed by Anja Skrba.