Annotation of loncom/auth/lonshibauth.pm, revision 1.18
1.1 raeburn 1: # The LearningOnline Network
1.13 raeburn 2: # Redirect Single Sign On authentication to designated URL:
3: # /adm/sso, by default.
1.1 raeburn 4: #
1.18 ! raeburn 5: # $Id: lonshibauth.pm,v 1.17 2022/09/17 23:38:50 raeburn Exp $
1.1 raeburn 6: #
7: # Copyright Michigan State University Board of Trustees
8: #
9: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
10: #
11: # LON-CAPA is free software; you can redistribute it and/or modify
12: # it under the terms of the GNU General Public License as published by
13: # the Free Software Foundation; either version 2 of the License, or
14: # (at your option) any later version.
15: #
16: # LON-CAPA is distributed in the hope that it will be useful,
17: # but WITHOUT ANY WARRANTY; without even the implied warranty of
18: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19: # GNU General Public License for more details.
20: #
21: # You should have received a copy of the GNU General Public License
22: # along with LON-CAPA; if not, write to the Free Software
23: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24: #
25: # /home/httpd/html/adm/gpl.txt
26: #
27: # http://www.lon-capa.org/
28: #
29:
30: =head1 NAME
31:
1.13 raeburn 32: Apache::lonshibauth - Redirect Single Sign On authentication
1.1 raeburn 33:
34: =head1 SYNOPSIS
35:
1.13 raeburn 36: Invoked when an Apache config file includes:
37: PerlAuthenHandler Apache::lonshibauth
1.1 raeburn 38:
39: If server is configured as a Shibboleth SP, the main Apache
1.13 raeburn 40: configuration file, e.g., /etc/httpd/conf/httpd.conf
1.1 raeburn 41: (for RHEL/CentOS/Scentific Linux/Fedora) should contain:
42:
43: LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so
44:
45: or equivalent (depending on Apache version)
46: before the line to include conf/loncapa_apache.conf
47:
1.13 raeburn 48: If some other Apache module is in use for Single Sign On
49: authentication e.g., mod_auth_cas or mod_sentinel,
50: then a separate config file should be created which
51: includes settings for the authentication module.
52:
1.1 raeburn 53: =head1 INTRODUCTION
54:
1.13 raeburn 55: Redirects a user requiring Single Sign On to a URL on the server
56: which is configured to use that service. The default URL is:
57: /adm/sso.
58:
59: If this is to be used with a Single Sign On service other Shibboleth
60: then an Apache config file needs to be loaded which:
61:
62: (a) loads the corresponding Apache module, and
63: (b) sets appropriate values for perl vars in
64: an <IfModule mod_***></IfModule> block, and
65: (c) sets an appropriate value for AuthType in a
66: <Location /adm/sso><IfModule mod_***>
67: </IfModule></Location> block, which also contains
68:
69: require valid-user
70:
71: PerlAuthzHandler Apache::lonshibacc
72:
73: PerlAuthzHandler Apache::lonacc
74:
75: In the case of Shibboleth no additional file is needed
76: because loncapa_apache.conf already contains:
77:
78: <IfModule mod_shib>
79: PerlAuthenHandler Apache::lonshibauth
80: PerlSetVar lonOtherAuthen yes
81: PerlSetVar lonOtherAuthenType Shibboleth
82:
83: </IfModule>
84:
85: and
86:
87: <Location /adm/sso>
88: Header set Cache-Control "private,no-store,no-cache,max-age=0"
89: <IfModule mod_shib>
90: AuthType shibboleth
91: ShibUseEnvironment On
92: ShibRequestSetting requireSession 1
93: ShibRequestSetting redirectToSSL 443
94: require valid-user
95: PerlAuthzHandler Apache::lonshibacc
96: PerlAuthzHandler Apache::lonacc
97: ErrorDocument 403 /adm/login
98: ErrorDocument 500 /adm/errorhandler
99: </IfModule>
100: <IfModule !mod_shib>
101: PerlTypeHandler Apache::lonnoshib
102: </IfModule>
103:
104: </Location>
105:
106: If the service is not Shibboleth, then (optionally) a URL that is
107: not /adm/sso can be used as the URL for the service, e.g., /adm/cas
108: or /adm/sentinel, by setting a lonOtherAuthenUrl perl var
109: in an Apache config file containing (for example):
110:
111: PerlSetVar lonOtherAuthenUrl /adm/sentinel
112:
113: <IfModule mod_sentinel>
114: PerlAuthenHandler Apache::lonshibauth
115: PerlSetVar lonOtherAuthen yes
116: PerlSetVar lonOtherAuthenType Sentinel
117:
118: </IfModule>
119:
120: <Location /adm/sentinel>
121: Header set Cache-Control "private,no-store,no-cache,max-age=0"
122: <IfModule mod_sentinel>
123: AuthType Sentinel
124: require valid-user
125: PerlAuthzHandler Apache::lonshibacc
126: PerlAuthzHandler Apache::lonacc
127: ErrorDocument 403 /adm/login
128: ErrorDocument 500 /adm/errorhandler
129: </IfModule>
130: <IfModule !mod_sentinel>
131: PerlTypeHandler Apache::lonnoshib
132: </IfModule>
133:
134: </Location>
135:
136: In the example above for Sentinel SSO, it would also be possible to
137: use /adm/sso instead of /adm/sentinel, in which case (i) there would be
138: no need to define lonOtherAuthenUrl, (ii) there would be <Location /adm/sso>
139: and (iii) the <IfModule !></IfModule> block would not be needed as
140: it is already present in /etc/httpd/conf/loncapa_apache.conf.
1.1 raeburn 141:
142: =head1 HANDLER SUBROUTINE
143:
144: This routine is called by Apache and mod_perl.
145:
146: =over 4
147:
1.13 raeburn 148: If $r->user is defined and requested URL is not /adm/sso or
149: other specific URL as set by a lonOtherAuthenUrl perlvar,
150: then redirect to /adm/sso (or to the specific URL).
151:
152: Otherwise return DECLINED.
153:
154: In the case of redirection a query string is appended,
155: which will contain either (a) the originally requested URL,
156: if not /adm/sso (or lonOtherAuthenUrl URL), and
157: any existing query string in the original request, or
158: (b) if original request was for /tiny/domain/uniqueID,
159: or if redirect is to /adm/login to support dual SSO and
160: non-SSO, a query string which contains sso=tokenID, where the
161: token contains information for deep-linking to course/resource.
162:
163: Support is included for use of LON-CAPA's standard log-in
164: page -- /adm/login -- to support dual SSO and non-SSO
165: authentication from that "landing" page.
166:
167: To enable dual SSO and non-SSO access from /adm/login
168: a Domain Coordinator will use the web GUI:
169: Main Menu > Set domain configuration > Display
170: ("Log-in page options" checked)
171: and for any of the LON-CAPA domain's servers which
172: will offer dual login will check "Yes" and then set:
173: (a) SSO Text, Image, Alt Text, URL, Tool Tip
174: (b) non-SSO: Text
175:
176: The value in the URL field should be /adm/sso,
177: or the same URL as set for the lonOtherAuthenUrl
178: perl var, e.g., /adm/sentinel.
1.1 raeburn 179:
1.13 raeburn 180: =back
181:
182: =head1 NOTABLE SUBROUTINES
183:
184: =over 4
185:
186: =item set_token()
187:
188: Inputs: 2
189: $r - request object
190: $lonhost - hostID of current server
191:
192: Output: 1
193: $querystring - query string to append to URL
194: when redirecting.
195:
196: If any of the following items are present in the original query string:
197: role, symb, and linkkey, then they will be stored in the token file
198: on the server, for access later to support deep-linking. If the ltoken
199: item is available, from successful launch from an LTI Consumer where
200: LON-CAPA is the LTI Provider, but not configured to accept user
201: information, and the destination is a deep-link URL /tiny/domain/uniqueiD,
202: then the LTI number, type (c or d), and tiny URL will be saved as the
203: linkprot item in a token file.
1.1 raeburn 204:
1.17 raeburn 205: =item set_mailtoken()
206:
207: Inputs: 2
208: $r - request object
209: $lonhost - hostID of current server
210:
211: Output: 1
212: $querystring - query string to append to URL
213: when redirecting.
214:
215: Called if requested URL is /adm/email, dual SSO and non-SSO login
216: are supported by /adm/login and original query string contains values
217: for elements: display, username and domain, which will then be
218: stored in the token file on the server to support direct access
219: to a specific message sent to the user.
220:
1.1 raeburn 221: =back
222:
223: =cut
224:
225: package Apache::lonshibauth;
226:
227: use strict;
228: use lib '/home/httpd/lib/perl/';
1.3 raeburn 229: use Apache::lonnet;
1.11 raeburn 230: use Apache::loncommon;
231: use Apache::lonacc;
1.2 raeburn 232: use Apache::Constants qw(:common REDIRECT);
1.11 raeburn 233: use LONCAPA qw(:DEFAULT :match);
1.1 raeburn 234:
235: sub handler {
236: my $r = shift;
1.13 raeburn 237: my $ssourl = '/adm/sso';
238: if ($r->dir_config('lonOtherAuthenUrl') ne '') {
239: $ssourl = $r->dir_config('lonOtherAuthenUrl');
240: }
241: my $target = $ssourl;
1.6 raeburn 242: if (&Apache::lonnet::get_saml_landing()) {
243: $target = '/adm/login';
244: }
1.13 raeburn 245: if (($r->user eq '') && ($r->uri ne $target) && ($r->uri ne $ssourl)) {
1.3 raeburn 246: my $lonhost = $Apache::lonnet::perlvar{'lonHostID'};
247: my $hostname = &Apache::lonnet::hostname($lonhost);
248: if (!$hostname) { $hostname = $r->hostname(); }
249: my $protocol = $Apache::lonnet::protocol{$lonhost};
250: unless ($protocol eq 'https') { $protocol = 'http'; }
1.4 raeburn 251: my $alias = &Apache::lonnet::use_proxy_alias($r,$lonhost);
1.7 raeburn 252: if (($alias ne '') &&
1.14 raeburn 253: (&Apache::lonnet::alias_sso($lonhost))) {
1.7 raeburn 254: $hostname = $alias;
255: }
1.3 raeburn 256: my $dest = $protocol.'://'.$hostname.$target;
1.11 raeburn 257: if ($target eq '/adm/login') {
1.17 raeburn 258: my $uri = $r->uri;
259: my $querystring;
260: if (($uri eq '/adm/email') && ($r->args ne '')) {
261: $querystring = &set_mailtoken($r,$lonhost);
262: } else {
263: $querystring = &set_token($r,$lonhost);
264: }
1.11 raeburn 265: if ($querystring ne '') {
266: $dest .= '?'.$querystring;
267: }
268: } else {
269: my $uri = $r->uri;
1.12 raeburn 270: if ($uri =~ m{^/tiny/$match_domain/\w+$}) {
271: my $querystring = &set_token($r,$lonhost);
272: if ($querystring ne '') {
273: $dest .= '?'.$querystring;
274: }
1.17 raeburn 275: } elsif ((&Apache::lonnet::get_saml_landing()) &&
276: ($uri eq '/adm/email') && ($r->args ne '')) {
277: my $querystring = &set_mailtoken($r,$lonhost);
278: if ($querystring ne '') {
279: $dest .= '?'.$querystring;
280: }
1.12 raeburn 281: } else {
282: if ($r->args ne '') {
283: $dest .= (($dest=~/\?/)?'&':'?').$r->args;
1.8 raeburn 284: }
1.12 raeburn 285: unless (($uri eq '/adm/roles') || ($uri eq '/adm/logout')) {
286: unless ($r->args =~ /origurl=/) {
287: $dest.=(($dest=~/\?/)?'&':'?').'origurl='.$uri;
1.11 raeburn 288: }
1.8 raeburn 289: }
290: }
1.5 raeburn 291: }
1.1 raeburn 292: $r->header_out(Location => $dest);
293: return REDIRECT;
294: } else {
295: return DECLINED;
296: }
297: }
298:
1.11 raeburn 299: sub set_token {
300: my ($r,$lonhost) = @_;
301: my ($firsturl,$querystring,$ssotoken,@names,%token);
302: @names = ('role','symb','ltoken','linkkey');
303: map { $token{$_} = 1; } @names;
304: unless (($r->uri eq '/adm/roles') || ($r->uri eq '/adm/logout')) {
305: $firsturl = $r->uri;
306: }
307: if ($r->args ne '') {
308: &Apache::loncommon::get_unprocessed_cgi($r->args);
309: }
310: if ($r->uri =~ m{^/tiny/$match_domain/\w+$}) {
1.12 raeburn 311: if ($env{'form.ttoken'}) {
312: my %info = &Apache::lonnet::tmpget($env{'form.ttoken'});
313: &Apache::lonnet::tmpdel($env{'form.ttoken'});
314: if ($info{'ltoken'}) {
315: $env{'form.ltoken'} = $info{'ltoken'};
316: } elsif ($info{'linkkey'} ne '') {
317: $env{'form.linkkey'} = $info{'linkkey'};
318: }
319: } else {
320: unless (($env{'form.ltoken'}) || ($env{'form.linkkey'})) {
321: &Apache::lonacc::get_posted_cgi($r,['linkkey']);
322: }
1.11 raeburn 323: }
1.15 raeburn 324: unless (($r->is_initial_req()) || ($env{'form.ltoken'}) ||
325: ($env{'form.linkkey'})) {
326: return;
327: }
1.11 raeburn 328: }
329: my $extras;
330: foreach my $name (@names) {
331: if ($env{'form.'.$name} ne '') {
332: if ($name eq 'ltoken') {
333: my %info = &Apache::lonnet::tmpget($env{'form.ltoken'});
1.12 raeburn 334: &Apache::lonnet::tmpdel($env{'form.ltoken'});
1.11 raeburn 335: if ($info{'linkprot'}) {
336: $extras .= '&linkprot='.&escape($info{'linkprot'});
1.18 ! raeburn 337: foreach my $item ('linkprotuser','linkprotexit','linkprotpbid','linkprotpburl') {
1.16 raeburn 338: if ($info{$item} ne '') {
339: $extras .= '&'.$item.'='.&escape($info{$item});
340: }
1.15 raeburn 341: }
1.11 raeburn 342: last;
343: }
344: } else {
345: $extras .= '&'.$name.'='.&escape($env{'form.'.$name});
346: }
347: }
348: }
349: if (($firsturl ne '') || ($extras ne '')) {
350: $extras .= ':sso';
351: $ssotoken = &Apache::lonnet::reply('tmpput:'.&escape($firsturl).
352: $extras,$lonhost);
353: $querystring = 'sso='.$ssotoken;
354: }
355: if ($r->args ne '') {
356: foreach my $key (sort(keys(%env))) {
357: if ($key =~ /^form\.(.+)$/) {
358: my $name = $1;
1.12 raeburn 359: next if (($token{$name}) || ($name eq 'ttoken'));
1.11 raeburn 360: $querystring .= '&'.$name.'='.$env{$key};
361: }
362: }
363: }
364: return $querystring;
365: }
366:
1.17 raeburn 367: sub set_mailtoken {
368: my ($r,$lonhost) = @_;
369: my $firsturl = $r->uri;
370: my ($querystring,$ssotoken,$extras);
371: &Apache::loncommon::get_unprocessed_cgi($r->args);
372: my $extras;
373: if (($env{'form.display'} ne '') &&
374: ($env{'form.username'} =~ /^$match_username$/) &&
375: ($env{'form.domain'} =~ /^$match_domain$/)) {
376: $extras .= '&display='.&escape($env{'form.display'}).
377: '&mailrecip='.&escape($env{'form.username'}.':'.$env{'form.domain'});
378: }
379: if (($firsturl ne '') || ($extras ne '')) {
380: $extras .= ':sso';
381: $ssotoken = &Apache::lonnet::reply('tmpput:'.&escape($firsturl).
382: $extras,$lonhost);
383: $querystring = 'sso='.$ssotoken;
384: }
385: if ($r->args ne '') {
386: foreach my $key (sort(keys(%env))) {
387: if ($key =~ /^form\.(.+)$/) {
388: my $name = $1;
389: next if (($name eq 'display') || ($name eq 'username') || ($name eq 'domain'));
390: $querystring .= '&'.$name.'='.$env{$key};
391: }
392: }
393: }
394: return $querystring;
395: }
396:
1.1 raeburn 397: 1;
398: __END__
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lonshibauth.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / auth