1: # The LearningOnline Network
2: # Redirect Single Sign On authentication to designated URL:
3: # /adm/sso, by default.
4: #
5: # $Id: lonshibauth.pm,v 1.14.2.1 2021/12/12 20:56:36 raeburn Exp $
6: #
7: # Copyright Michigan State University Board of Trustees
8: #
9: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
10: #
11: # LON-CAPA is free software; you can redistribute it and/or modify
12: # it under the terms of the GNU General Public License as published by
13: # the Free Software Foundation; either version 2 of the License, or
14: # (at your option) any later version.
15: #
16: # LON-CAPA is distributed in the hope that it will be useful,
17: # but WITHOUT ANY WARRANTY; without even the implied warranty of
18: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19: # GNU General Public License for more details.
20: #
21: # You should have received a copy of the GNU General Public License
22: # along with LON-CAPA; if not, write to the Free Software
23: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24: #
25: # /home/httpd/html/adm/gpl.txt
26: #
27: # http://www.lon-capa.org/
28: #
29:
30: =head1 NAME
31:
32: Apache::lonshibauth - Redirect Single Sign On authentication
33:
34: =head1 SYNOPSIS
35:
36: Invoked when an Apache config file includes:
37: PerlAuthenHandler Apache::lonshibauth
38:
39: If server is configured as a Shibboleth SP, the main Apache
40: configuration file, e.g., /etc/httpd/conf/httpd.conf
41: (for RHEL/CentOS/Scentific Linux/Fedora) should contain:
42:
43: LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so
44:
45: or equivalent (depending on Apache version)
46: before the line to include conf/loncapa_apache.conf
47:
48: If some other Apache module is in use for Single Sign On
49: authentication e.g., mod_auth_cas or mod_sentinel,
50: then a separate config file should be created which
51: includes settings for the authentication module.
52:
53: =head1 INTRODUCTION
54:
55: Redirects a user requiring Single Sign On to a URL on the server
56: which is configured to use that service. The default URL is:
57: /adm/sso.
58:
59: If this is to be used with a Single Sign On service other Shibboleth
60: then an Apache config file needs to be loaded which:
61:
62: (a) loads the corresponding Apache module, and
63: (b) sets appropriate values for perl vars in
64: an <IfModule mod_***></IfModule> block, and
65: (c) sets an appropriate value for AuthType in a
66: <Location /adm/sso><IfModule mod_***>
67: </IfModule></Location> block, which also contains
68:
69: require valid-user
70:
71: PerlAuthzHandler Apache::lonshibacc
72:
73: PerlAuthzHandler Apache::lonacc
74:
75: In the case of Shibboleth no additional file is needed
76: because loncapa_apache.conf already contains:
77:
78: <IfModule mod_shib>
79: PerlAuthenHandler Apache::lonshibauth
80: PerlSetVar lonOtherAuthen yes
81: PerlSetVar lonOtherAuthenType Shibboleth
82:
83: </IfModule>
84:
85: and
86:
87: <Location /adm/sso>
88: Header set Cache-Control "private,no-store,no-cache,max-age=0"
89: <IfModule mod_shib>
90: AuthType shibboleth
91: ShibUseEnvironment On
92: ShibRequestSetting requireSession 1
93: ShibRequestSetting redirectToSSL 443
94: require valid-user
95: PerlAuthzHandler Apache::lonshibacc
96: PerlAuthzHandler Apache::lonacc
97: ErrorDocument 403 /adm/login
98: ErrorDocument 500 /adm/errorhandler
99: </IfModule>
100: <IfModule !mod_shib>
101: PerlTypeHandler Apache::lonnoshib
102: </IfModule>
103:
104: </Location>
105:
106: If the service is not Shibboleth, then (optionally) a URL that is
107: not /adm/sso can be used as the URL for the service, e.g., /adm/cas
108: or /adm/sentinel, by setting a lonOtherAuthenUrl perl var
109: in an Apache config file containing (for example):
110:
111: PerlSetVar lonOtherAuthenUrl /adm/sentinel
112:
113: <IfModule mod_sentinel>
114: PerlAuthenHandler Apache::lonshibauth
115: PerlSetVar lonOtherAuthen yes
116: PerlSetVar lonOtherAuthenType Sentinel
117:
118: </IfModule>
119:
120: <Location /adm/sentinel>
121: Header set Cache-Control "private,no-store,no-cache,max-age=0"
122: <IfModule mod_sentinel>
123: AuthType Sentinel
124: require valid-user
125: PerlAuthzHandler Apache::lonshibacc
126: PerlAuthzHandler Apache::lonacc
127: ErrorDocument 403 /adm/login
128: ErrorDocument 500 /adm/errorhandler
129: </IfModule>
130: <IfModule !mod_sentinel>
131: PerlTypeHandler Apache::lonnoshib
132: </IfModule>
133:
134: </Location>
135:
136: In the example above for Sentinel SSO, it would also be possible to
137: use /adm/sso instead of /adm/sentinel, in which case (i) there would be
138: no need to define lonOtherAuthenUrl, (ii) there would be <Location /adm/sso>
139: and (iii) the <IfModule !></IfModule> block would not be needed as
140: it is already present in /etc/httpd/conf/loncapa_apache.conf.
141:
142: =head1 HANDLER SUBROUTINE
143:
144: This routine is called by Apache and mod_perl.
145:
146: =over 4
147:
148: If $r->user is defined and requested URL is not /adm/sso or
149: other specific URL as set by a lonOtherAuthenUrl perlvar,
150: then redirect to /adm/sso (or to the specific URL).
151:
152: Otherwise return DECLINED.
153:
154: In the case of redirection a query string is appended,
155: which will contain either (a) the originally requested URL,
156: if not /adm/sso (or lonOtherAuthenUrl URL), and
157: any existing query string in the original request, or
158: (b) if redirect is to /adm/login to support dual SSO and
159: non-SSO, a query string which contains sso=tokenID, where the
160: token contains information for deep-linking to course/resource.
161:
162: Support is included for use of LON-CAPA's standard log-in
163: page -- /adm/login -- to support dual SSO and non-SSO
164: authentication from that "landing" page.
165:
166: To enable dual SSO and non-SSO access from /adm/login
167: a Domain Coordinator will use the web GUI:
168: Main Menu > Set domain configuration > Display
169: ("Log-in page options" checked)
170: and for any of the LON-CAPA domain's servers which
171: will offer dual login will check "Yes" and then set:
172: (a) SSO Text, Image, Alt Text, URL, Tool Tip
173: (b) non-SSO: Text
174:
175: The value in the URL field should be /adm/sso,
176: or the same URL as set for the lonOtherAuthenUrl
177: perl var, e.g., /adm/sentinel.
178:
179: =back
180:
181: =head1 NOTABLE SUBROUTINES
182:
183: =over 4
184:
185: =item set_token()
186:
187: Inputs: 2
188: $r - request object
189: $lonhost - hostID of current server
190:
191: Output: 1
192: $querystring - query string to append to URL
193: when redirecting.
194:
195: If role and/or symb are present in the original query string:
196: then they will be stored in the token file on the server,
197: for access later to support deep-linking.
198:
199: =back
200:
201: =cut
202:
203: package Apache::lonshibauth;
204:
205: use strict;
206: use lib '/home/httpd/lib/perl/';
207: use Apache::lonnet;
208: use Apache::loncommon;
209: use Apache::lonacc;
210: use Apache::Constants qw(:common REDIRECT);
211: use LONCAPA qw(:DEFAULT :match);
212:
213: sub handler {
214: my $r = shift;
215: my $ssourl = '/adm/sso';
216: if ($r->dir_config('lonOtherAuthenUrl') ne '') {
217: $ssourl = $r->dir_config('lonOtherAuthenUrl');
218: }
219: my $target = $ssourl;
220: if (&Apache::lonnet::get_saml_landing()) {
221: $target = '/adm/login';
222: }
223: if (($r->user eq '') && ($r->uri ne $target) && ($r->uri ne $ssourl)) {
224: my $lonhost = $Apache::lonnet::perlvar{'lonHostID'};
225: my $hostname = &Apache::lonnet::hostname($lonhost);
226: if (!$hostname) { $hostname = $r->hostname(); }
227: my $protocol = $Apache::lonnet::protocol{$lonhost};
228: unless ($protocol eq 'https') { $protocol = 'http'; }
229: my $alias = &Apache::lonnet::use_proxy_alias($r,$lonhost);
230: if (($alias ne '') &&
231: (&Apache::lonnet::alias_sso($lonhost))) {
232: $hostname = $alias;
233: }
234: my $dest = $protocol.'://'.$hostname.$target;
235: if ($target eq '/adm/login') {
236: my $querystring = &set_token($r,$lonhost);
237: if ($querystring ne '') {
238: $dest .= '?'.$querystring;
239: }
240: } else {
241: my $uri = $r->uri;
242: if ($r->args ne '') {
243: $dest .= (($dest=~/\?/)?'&':'?').$r->args;
244: }
245: unless (($uri eq '/adm/roles') || ($uri eq '/adm/logout')) {
246: unless ($r->args =~ /origurl=/) {
247: $dest.=(($dest=~/\?/)?'&':'?').'origurl='.$uri;
248: }
249: }
250: }
251: $r->header_out(Location => $dest);
252: return REDIRECT;
253: } else {
254: return DECLINED;
255: }
256: }
257:
258: sub set_token {
259: my ($r,$lonhost) = @_;
260: my ($firsturl,$querystring,$ssotoken,@names,%token);
261: @names = ('role','symb');
262: map { $token{$_} = 1; } @names;
263: unless (($r->uri eq '/adm/roles') || ($r->uri eq '/adm/logout')) {
264: $firsturl = $r->uri;
265: }
266: if ($r->args ne '') {
267: &Apache::loncommon::get_unprocessed_cgi($r->args);
268: }
269: my $extras;
270: foreach my $name (@names) {
271: if ($env{'form.'.$name} ne '') {
272: $extras .= '&'.$name.'='.&escape($env{'form.'.$name});
273: }
274: }
275: if (($firsturl ne '') || ($extras ne '')) {
276: $extras .= ':sso';
277: $ssotoken = &Apache::lonnet::reply('tmpput:'.&escape($firsturl).
278: $extras,$lonhost);
279: $querystring = 'sso='.$ssotoken;
280: }
281: if ($r->args ne '') {
282: foreach my $key (sort(keys(%env))) {
283: if ($key =~ /^form\.(.+)$/) {
284: my $name = $1;
285: next if ($token{$name});
286: $querystring .= '&'.$name.'='.$env{$key};
287: }
288: }
289: }
290: return $querystring;
291: }
292:
293: 1;
294: __END__
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to lonshibauth.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / auth