mod_auth_pubtkt is an Apache module that authenticates a user based on a cookie with a ticket that has been issued by a central login server and digitally signed using either RSA or DSA. This means that only the trusted login server has the private key required to generate tickets, while web servers only need the corresponding public key to verify them.

Whenever mod_auth_pubtkt encounters a request without a valid ticket/cookie, it redirects the user to a pre-configured login URL, passing the originally requested URL as a GET parameter. The login server can then prompt the user for credentials, verify them using any authentication backend it chooses, and upon success, generate a login ticket (signed with its private key), return it in a cookie to the client, and finally redirect the user back to the originally requested URL.