Return to Institutional_Integration_CAS.tex CVS log

Up to [LON-CAPA] / loncom / html / adm / help / tex

Annotation of loncom/html/adm/help/tex/Institutional_Integration_CAS.tex, revision 1.1

1.1     ! raeburn     1: \label{Institutional_Integration_CAS}
        !             2: 
        !             3: The procedure for enabling institutional Single Sign On (SSO) via a central authentication 
        !             4: service (CAS) that is not Shibboleth involves building or installing an Apache module provided 
        !             5: by you institution, and then modifying an Apache configuration file on your LON-CAPA server to
        !             6: (a) load the module, and (b) configure LON-CAPA to use it, by default, when unauthenticated users 
        !             7: access /adm/roles.
        !             8: 
        !             9: If your server will be part of the cluster of collaborating institutions, it is possible
        !            10: that users from other LON-CAPA domains might visit your server to log-in to LON-CAPA.
        !            11: To support that possibility, it is recommended that the CAS log-in page includes a link to point 
        !            12: back at /adm/login on your LON-CAPA server, and the link is identified as one to be followed by 
        !            13: users from other domains.  See: https://loncapa.msu.edu/adm/roles for an example.
        !            14: 
        !            15: In order for Apache to use your CAS system you need to set the PerlVar lonOtherAuthen to yes,
        !            16: and provide the default domain for SSO users and the authentication type (i.e., the name of
        !            17: your CAS).
        !            18: 
        !            19: \begin{itemize}
        !            20: 
        !            21: \item Add a custom Apache config file to include some required PerlVars and load the CAS shared object.
        !            22: 
        !            23: \begin{verbatim}
        !            24: PerlSetVar lonOtherAuthen yes
        !            25: PerlSetVar lonOtherAuthenType MyCAS
        !            26: PerlSetVar lonSSOUserDomain <dom>
        !            27: 
        !            28: LoadModule mod_sentinel modules/mod_mycas.so
        !            29: \end{verbatim}
        !            30: 
        !            31: where $<$dom$>$ is your domain, and mod\_mycas.so is ths name of the CAS shared object. 
        !            32: You might put the config file (mycas.conf) in: /etc/httpd/conf.d/ 
        !            33: (CentOS/Red Hat/Scientific Linux), or in /etc/apache2/conf.d/ (SuSE/SLES) or 
        !            34: /etc/apache2/conf-available (Ubuntu, and enabled with: sudo a2enconf). 
        !            35: 
        !            36: \item Add a custom Apache config file to include some optional PerlVars (for logout etc.)
        !            37: 
        !            38: Add a file to your Apache conf directory named loncapa\_apache\_local$<$dom$>$.conf, where $<$dom$>$
        !            39: is domain, to include items such as:
        !            40: 
        !            41: \begin{verbatim}
        !            42: PerlSetVar lonSSOUserLogoutHeadFile_<dom> /home/httpd/html/adm/sso_logout_head_frag
        !            43: PerlSetVar lonSSOUserLogoutMessageFile_<dom> /home/httpd/html/adm/sso_logout_body_frag
        !            44: PerlSetVar lonSSOUserUnknownRedirect /adm/sso_failed_login.html
        !            45: PerlSetVar lonSSOReloginServer https://somehost.somewhere.edu
        !            46: \end{verbatim}
        !            47: 
        !            48: and add the corresponding files owned by www:www in /home/httpd/html/adm/
        !            49: 
        !            50: \end{itemize}
        !            51: 
        !            52: Notes:
        !            53: \begin{enumerate}
        !            54: \item
        !            55: All files will contain HTML mark-up, but the sso\_logout\_head\_frag item is a fragment
        !            56: inserted into the head block of the standard LON-CAPA logout page, and similarly,
        !            57: the sso\_logout\_body\_frag is a fragment inserted into the body of the page,
        !            58: whereas the sso\_failed\_login.html file should be a complete HTML document.
        !            59: 
        !            60: If the name of the PerlVar ends \_$<$dom$>$ then the HTML fragment is only displayed
        !            61: to SSO users from that particular domain.  It is possible that a LON-CAPA user from another 
        !            62: domain might have used SSO authentication on a server in his/her home domain, and then switched 
        !            63: session to your server, (e.g., for co-author access to an Authoring Space in your domain).
        !            64: In that particular case, if you wanted to display custom HTML, you should add a PerlVar with a 
        !            65: name ending in \_$<$otherdom$>$. If you include PerlVars for lonSSOUserLogoutHeadFile
        !            66: and/or lonSSOUserLogoutMessageFile they will be included for SSO users who use the Logout link
        !            67: on your LON-CAPA regardless of the user's domain.
        !            68: 
        !            69: \item
        !            70: If you enable self-creation of SSO-authenticated users, then the sso\_failed\_login.html
        !            71: document need not be created.
        !            72: 
        !            73: \item
        !            74: If you would like the log-in again link on the logout page to point to a specific URL 
        !            75: just for SSO users, then you would set the PerlVar for lonSSOReloginServer. However, if 
        !            76: you would like the log-in link for all users from your domain (both SSO and non-SSO 
        !            77: authenticated) to point at a particular URL, then you would log-in to LON-CAPA, select
        !            78: a Domain Coordinator role, and use Main Menu -$>$ Set domain configuration -$>$ 
        !            79: Display (``Default authentication/language/timezone/portal/types'' checked) an set the URL
        !            80: in ``Portal/Default URL''.
        !            81: 
        !            82: \end{enumerate}