Annotation of loncom/html/adm/help/tex/Institutional_Integration_CAS.tex, revision 1.4
1.1 raeburn 1: \label{Institutional_Integration_CAS}
2:
3: The procedure for enabling institutional Single Sign On (SSO) via a central authentication
1.3 raeburn 4: service (CAS) that is not Shibboleth involves building or installing a CAS Apache module.
5: That module might be a home-grown CAS-type module provided by your institution, or it might be
1.4 ! raeburn 6: the standard mod\_auth\_cas module, available from the Apereo CAS project (see:
1.3 raeburn 7: https://github.com/apereo/mod\_auth\_cas ). In addition, you will need to modify the Apache
8: configuration for your LON-CAPA server to (a) load the module, and (b) configure LON-CAPA
9: to use it, by default, when unauthenticated users access /adm/roles.
1.1 raeburn 10:
11: If your server will be part of the cluster of collaborating institutions, it is possible
12: that users from other LON-CAPA domains might visit your server to log-in to LON-CAPA.
13: To support that possibility, it is recommended that the CAS log-in page includes a link to point
14: back at /adm/login on your LON-CAPA server, and the link is identified as one to be followed by
1.3 raeburn 15: users from other domains. See: https://loncapa.msu.edu/adm/roles, for an example.
1.1 raeburn 16:
17: In order for Apache to use your CAS system you need to set the PerlVar lonOtherAuthen to yes,
18: and provide the default domain for SSO users and the authentication type (i.e., the name of
19: your CAS).
20:
21: \begin{itemize}
22:
23: \item Add a custom Apache config file to include some required PerlVars and load the CAS shared object.
24:
25: \begin{verbatim}
26: PerlSetVar lonOtherAuthen yes
1.3 raeburn 27: PerlSetVar lonOtherAuthenType CAS
1.1 raeburn 28: PerlSetVar lonSSOUserDomain <dom>
29:
1.3 raeburn 30: LoadModule auth_cas_module modules/mod_auth_cas.so
1.1 raeburn 31: \end{verbatim}
32:
1.3 raeburn 33: where $<$dom$>$ is your domain, and mod\_auth\_cas.so is the name of the CAS shared object.
34: You might put the config file (cas.conf) in: /etc/httpd/conf.d/
1.1 raeburn 35: (CentOS/Red Hat/Scientific Linux), or in /etc/apache2/conf.d/ (SuSE/SLES) or
1.3 raeburn 36: /etc/apache2/conf-available (Ubuntu, and enabled with: sudo a2enconf).
1.1 raeburn 37:
38: \item Add a custom Apache config file to include some optional PerlVars (for logout etc.)
39:
40: Add a file to your Apache conf directory named loncapa\_apache\_local$<$dom$>$.conf, where $<$dom$>$
41: is domain, to include items such as:
42:
43: \begin{verbatim}
1.2 raeburn 44: PerlSetVar lonSSOUserLogoutHeadFile_<dom> /home/httpd/html/adm/sso_logout_head
45: PerlSetVar lonSSOUserLogoutMessageFile_<dom> /home/httpd/html/adm/sso_logout_body
1.1 raeburn 46: PerlSetVar lonSSOUserUnknownRedirect /adm/sso_failed_login.html
47: PerlSetVar lonSSOReloginServer https://somehost.somewhere.edu
48: \end{verbatim}
49:
50: and add the corresponding files owned by www:www in /home/httpd/html/adm/
51:
52: \end{itemize}
53:
54: Notes:
55: \begin{enumerate}
56: \item
1.2 raeburn 57: All files will contain HTML mark-up, but the sso\_logout\_head item is a fragment
1.1 raeburn 58: inserted into the head block of the standard LON-CAPA logout page, and similarly,
1.2 raeburn 59: the sso\_logout\_body is a fragment inserted into the body of the page,
1.1 raeburn 60: whereas the sso\_failed\_login.html file should be a complete HTML document.
61:
62: If the name of the PerlVar ends \_$<$dom$>$ then the HTML fragment is only displayed
63: to SSO users from that particular domain. It is possible that a LON-CAPA user from another
64: domain might have used SSO authentication on a server in his/her home domain, and then switched
65: session to your server, (e.g., for co-author access to an Authoring Space in your domain).
66: In that particular case, if you wanted to display custom HTML, you should add a PerlVar with a
67: name ending in \_$<$otherdom$>$. If you include PerlVars for lonSSOUserLogoutHeadFile
68: and/or lonSSOUserLogoutMessageFile they will be included for SSO users who use the Logout link
69: on your LON-CAPA regardless of the user's domain.
70:
71: \item
72: If you enable self-creation of SSO-authenticated users, then the sso\_failed\_login.html
73: document need not be created.
74:
75: \item
76: If you would like the log-in again link on the logout page to point to a specific URL
77: just for SSO users, then you would set the PerlVar for lonSSOReloginServer. However, if
78: you would like the log-in link for all users from your domain (both SSO and non-SSO
79: authenticated) to point at a particular URL, then you would log-in to LON-CAPA, select
80: a Domain Coordinator role, and use Main Menu -$>$ Set domain configuration -$>$
81: Display (``Default authentication/language/timezone/portal/types'' checked) an set the URL
82: in ``Portal/Default URL''.
83:
84: \end{enumerate}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>