loncom/auth/lonshibacc.pm - view

File: [LON-CAPA] / loncom / auth / lonshibacc.pm
Revision 1.3: download - view: text, annotated - select for diffs
Mon Dec 6 03:31:54 2021 UTC (3 years, 2 months ago) by raeburn
Branches: MAIN
CVS tags: version_2_12_X, version_2_11_X, version_2_11_6_msu, version_2_11_6, version_2_11_5_msu, version_2_11_5, version_2_11_4_uiuc, version_2_11_4_msu, version_2_11_4, HEAD

- Dual SSO and non-SSO login from /adm/login for use with additional SSO
  mechanisms besides Shibboleth.
  - Default is to use /adm/sso for "authentication" URL.
  - Different authentication URL can be set with lonOtherAuthenUrl perlvar.
  - Update documentation for lonshibauth.pm and lonshibacc.pm
  - Wording change for WAF/Proxy domain configuration
  - If Apache config contains lonSSOEmailOK set to 1, default removal
    of @ "internet domain" from username for SSO authenticated users in
    lonshibacc.pm is skipped.
  - &alias_shibboleth() routine in lonnet.pm renamed alias_sso().

1: # The LearningOnline Network 2: # Authorization handler for Shibboleth authenticated users 3: # 4: # $Id: lonshibacc.pm,v 1.3 2021/12/06 03:31:54 raeburn Exp $ 5: # 6: # Copyright Michigan State University Board of Trustees 7: # 8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA). 9: # 10: # LON-CAPA is free software; you can redistribute it and/or modify 11: # it under the terms of the GNU General Public License as published by 12: # the Free Software Foundation; either version 2 of the License, or 13: # (at your option) any later version. 14: # 15: # LON-CAPA is distributed in the hope that it will be useful, 16: # but WITHOUT ANY WARRANTY; without even the implied warranty of 17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18: # GNU General Public License for more details. 19: # 20: # You should have received a copy of the GNU General Public License 21: # along with LON-CAPA; if not, write to the Free Software 22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 23: # 24: # /home/httpd/html/adm/gpl.txt 25: # 26: # http://www.lon-capa.org/ 27: # 28: 29: =head1 NAME 30: 31: Apache::lonshibacc - Initial Authorization handler for 32: SSO-authenticated users. 33: 34: =head1 SYNOPSIS 35: 36: Invoked for /adm/sso by 37: /etc/httpd/conf/loncapa_apache.conf: 38: 39: PerlAuthzHandler Apache::lonshibacc 40: 41: =head1 INTRODUCTION 42: 43: Authorization handler used to remove trailing @internet dom 44: from Shibboleth authenticated username (e.g., @mit.edu). 45: 46: Authorization handler used to: 47: 48: (a) remove trailing @internet dom from Shibboleth 49: authenticated username (e.g., @mit.edu), 50: unless lonSSOEmailOK perl var is set to 1, and/or 51: 52: (b) set URI for authenticated user to /adm/sso, if 53: lonOtherAuthenUrl is set. 54: 55: After making changes to $r->user and/or $r->uri, DECLINED is 56: returned so lonacc.pm can be invoked as the next authorization 57: handler via: 58: 59: PerlAuthzHandler Apache::lonacc 60: 61: =head1 HANDLER SUBROUTINE 62: 63: This routine is called by Apache and mod_perl. 64: 65: =cut 66: 67: package Apache::lonshibacc; 68: 69: use strict; 70: use lib '/home/httpd/lib/perl/'; 71: use Apache::lonnet; 72: use Apache::Constants qw(:common); 73: use LONCAPA qw(:DEFAULT); 74: 75: sub handler { 76: my $r = shift; 77: my $user = $r->user; 78: if ($user ne '') { 79: my $udom = $r->dir_config('lonSSOUserDomain'); 80: if ($udom eq '') { 81: $udom = $r->dir_config('lonDefDomain'); 82: } 83: if ($udom ne '') { 84: my $uprimary_id = &Apache::lonnet::domain($udom,'primary'); 85: my $uint_dom = &Apache::lonnet::internet_dom($uprimary_id); 86: if ($user =~ /^(\w[a-zA-Z0-9_\-.]+)\@\Q$uint_dom\E$/i) { 87: my $username = $1; 88: unless ($r->dir_config('lonSSOEmailOK') == 1) { 89: $user = $r->user($username); 90: } 91: } 92: } 93: if (($r->dir_config('lonOtherAuthenUrl') ne '') && 94: ($r->uri eq $r->dir_config('lonOtherAuthenUrl'))) { 95: $r->uri('/adm/sso'); 96: } 97: } 98: return DECLINED; 99: } 100: 101: 1; 102: __END__