--- loncom/html/adm/help/tex/Domain_Configuration_Login_Page.tex	2021/12/25 03:15:47	1.12.2.1
+++ loncom/html/adm/help/tex/Domain_Configuration_Login_Page.tex	2022/08/24 22:23:15	1.13
@@ -99,14 +99,21 @@ instead to display /adm/login configured
 Check the ``Yes'' radio button for each of the domain's servers which will offer dual login and then set:  
 
 \begin{itemize}
-\item SSO: Text, Image, Alt Text, URL, Tool Tip
+\item SSO: Text, Image, Alt Text, URL, Tool Tip, Pop-up if iframe
 \item non-SSO: Text
 \end{itemize}
 
 The value in the URL field will be /adm/sso for Shibboleth, and an uploaded image file will provide the button to be clicked
 to load /adm/sso (i.e., to prompt an SSO login). The alt and title attributes for the button can also be set.
 
-With this in effect the LON-CAPA login page /adm/login will display the following:
+In some circumstances the default may be to attempt display of the SSO log-in dialog within an iframe, e.g., 
+when link protection has been enabled for LTI mediated deep link access from another learning management system, 
+and a user is also required to authenticate in LON-CAPA. In such cases, ``sameorigin'' requirements for the SSO login 
+page may dictate that the SSO login must be displayed in a pop-window instead of the iframe. Setting ``Pop-up if iframe'' 
+to ``Yes'' will ensure a pop-up is launched when the button and/or link for SSO login is clicked and the login page is
+within an iframe.
+
+With dual login in effect the LON-CAPA login page /adm/login will display the following:
 
 \begin{itemize}
 \item Log-in type:
@@ -133,5 +140,8 @@ If the SSO service is something other th
 been set to a preferred URL (e.g., /adm/sentinel), then the URL item in the SSO entry in the dual login options
 should be set to that same preferred URL.
 
-Note: if the original page request by an unauthenticated user included a query string containing role and symb (i.e., 
-the unique resource instance identifier) then they will be stored in a token file on the server, for access later to support deep-linking. 
+Note: if the original page request by an unauthenticated user included a query string with any of the following items:
+role, symb, and linkkey, then they will be stored in a token file on the server, for access later to support deep-linking. 
+Similarly, if the query string contained an ltoken item from successful launch from an LTI Consumer, where LON-CAPA is the LTI Provider,
+and for that Consumer LON-CAPA is not configured to accept user information, and the destination is a deep-link URL:
+/tiny/domain/uniqueID, then the LTI number, type (c or d), and tiny URL will be saved as the linkprot item in a token file.