Annotation of loncom/html/adm/help/tex/Institutional_Integration_CAS.tex, revision 1.2
1.1 raeburn 1: \label{Institutional_Integration_CAS}
2:
3: The procedure for enabling institutional Single Sign On (SSO) via a central authentication
4: service (CAS) that is not Shibboleth involves building or installing an Apache module provided
5: by you institution, and then modifying an Apache configuration file on your LON-CAPA server to
6: (a) load the module, and (b) configure LON-CAPA to use it, by default, when unauthenticated users
7: access /adm/roles.
8:
9: If your server will be part of the cluster of collaborating institutions, it is possible
10: that users from other LON-CAPA domains might visit your server to log-in to LON-CAPA.
11: To support that possibility, it is recommended that the CAS log-in page includes a link to point
12: back at /adm/login on your LON-CAPA server, and the link is identified as one to be followed by
13: users from other domains. See: https://loncapa.msu.edu/adm/roles for an example.
14:
15: In order for Apache to use your CAS system you need to set the PerlVar lonOtherAuthen to yes,
16: and provide the default domain for SSO users and the authentication type (i.e., the name of
17: your CAS).
18:
19: \begin{itemize}
20:
21: \item Add a custom Apache config file to include some required PerlVars and load the CAS shared object.
22:
23: \begin{verbatim}
24: PerlSetVar lonOtherAuthen yes
25: PerlSetVar lonOtherAuthenType MyCAS
26: PerlSetVar lonSSOUserDomain <dom>
27:
28: LoadModule mod_sentinel modules/mod_mycas.so
29: \end{verbatim}
30:
31: where $<$dom$>$ is your domain, and mod\_mycas.so is ths name of the CAS shared object.
32: You might put the config file (mycas.conf) in: /etc/httpd/conf.d/
33: (CentOS/Red Hat/Scientific Linux), or in /etc/apache2/conf.d/ (SuSE/SLES) or
34: /etc/apache2/conf-available (Ubuntu, and enabled with: sudo a2enconf).
35:
36: \item Add a custom Apache config file to include some optional PerlVars (for logout etc.)
37:
38: Add a file to your Apache conf directory named loncapa\_apache\_local$<$dom$>$.conf, where $<$dom$>$
39: is domain, to include items such as:
40:
41: \begin{verbatim}
1.2 ! raeburn 42: PerlSetVar lonSSOUserLogoutHeadFile_<dom> /home/httpd/html/adm/sso_logout_head
! 43: PerlSetVar lonSSOUserLogoutMessageFile_<dom> /home/httpd/html/adm/sso_logout_body
1.1 raeburn 44: PerlSetVar lonSSOUserUnknownRedirect /adm/sso_failed_login.html
45: PerlSetVar lonSSOReloginServer https://somehost.somewhere.edu
46: \end{verbatim}
47:
48: and add the corresponding files owned by www:www in /home/httpd/html/adm/
49:
50: \end{itemize}
51:
52: Notes:
53: \begin{enumerate}
54: \item
1.2 ! raeburn 55: All files will contain HTML mark-up, but the sso\_logout\_head item is a fragment
1.1 raeburn 56: inserted into the head block of the standard LON-CAPA logout page, and similarly,
1.2 ! raeburn 57: the sso\_logout\_body is a fragment inserted into the body of the page,
1.1 raeburn 58: whereas the sso\_failed\_login.html file should be a complete HTML document.
59:
60: If the name of the PerlVar ends \_$<$dom$>$ then the HTML fragment is only displayed
61: to SSO users from that particular domain. It is possible that a LON-CAPA user from another
62: domain might have used SSO authentication on a server in his/her home domain, and then switched
63: session to your server, (e.g., for co-author access to an Authoring Space in your domain).
64: In that particular case, if you wanted to display custom HTML, you should add a PerlVar with a
65: name ending in \_$<$otherdom$>$. If you include PerlVars for lonSSOUserLogoutHeadFile
66: and/or lonSSOUserLogoutMessageFile they will be included for SSO users who use the Logout link
67: on your LON-CAPA regardless of the user's domain.
68:
69: \item
70: If you enable self-creation of SSO-authenticated users, then the sso\_failed\_login.html
71: document need not be created.
72:
73: \item
74: If you would like the log-in again link on the logout page to point to a specific URL
75: just for SSO users, then you would set the PerlVar for lonSSOReloginServer. However, if
76: you would like the log-in link for all users from your domain (both SSO and non-SSO
77: authenticated) to point at a particular URL, then you would log-in to LON-CAPA, select
78: a Domain Coordinator role, and use Main Menu -$>$ Set domain configuration -$>$
79: Display (``Default authentication/language/timezone/portal/types'' checked) an set the URL
80: in ``Portal/Default URL''.
81:
82: \end{enumerate}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>