[BACK]Return to Institutional_Integration_CAS.tex CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom / html / adm / help / tex
File:  [LON-CAPA] / loncom / html / adm / help / tex / Institutional_Integration_CAS.tex
Revision 1.2: download - view: text, annotated - select for diffs
Thu Mar 26 22:15:20 2015 UTC (9 years, 4 months ago) by raeburn
Branches: MAIN
CVS tags: version_2_11_2_uiuc, version_2_11_2_msu, version_2_11_2_educog, version_2_11_2, version_2_11_1, HEAD
- Shorter names for example files containing custom markup for inclusion in
  logout page fit within the width of a page in the PDF manual.

    1: \label{Institutional_Integration_CAS}
    2: 
    3: The procedure for enabling institutional Single Sign On (SSO) via a central authentication 
    4: service (CAS) that is not Shibboleth involves building or installing an Apache module provided 
    5: by you institution, and then modifying an Apache configuration file on your LON-CAPA server to
    6: (a) load the module, and (b) configure LON-CAPA to use it, by default, when unauthenticated users 
    7: access /adm/roles.
    8: 
    9: If your server will be part of the cluster of collaborating institutions, it is possible
   10: that users from other LON-CAPA domains might visit your server to log-in to LON-CAPA.
   11: To support that possibility, it is recommended that the CAS log-in page includes a link to point 
   12: back at /adm/login on your LON-CAPA server, and the link is identified as one to be followed by 
   13: users from other domains.  See: https://loncapa.msu.edu/adm/roles for an example.
   14: 
   15: In order for Apache to use your CAS system you need to set the PerlVar lonOtherAuthen to yes,
   16: and provide the default domain for SSO users and the authentication type (i.e., the name of
   17: your CAS).
   18: 
   19: \begin{itemize}
   20: 
   21: \item Add a custom Apache config file to include some required PerlVars and load the CAS shared object.
   22: 
   23: \begin{verbatim}
   24: PerlSetVar lonOtherAuthen yes
   25: PerlSetVar lonOtherAuthenType MyCAS
   26: PerlSetVar lonSSOUserDomain <dom>
   27: 
   28: LoadModule mod_sentinel modules/mod_mycas.so
   29: \end{verbatim}
   30: 
   31: where $<$dom$>$ is your domain, and mod\_mycas.so is ths name of the CAS shared object. 
   32: You might put the config file (mycas.conf) in: /etc/httpd/conf.d/ 
   33: (CentOS/Red Hat/Scientific Linux), or in /etc/apache2/conf.d/ (SuSE/SLES) or 
   34: /etc/apache2/conf-available (Ubuntu, and enabled with: sudo a2enconf). 
   35: 
   36: \item Add a custom Apache config file to include some optional PerlVars (for logout etc.)
   37: 
   38: Add a file to your Apache conf directory named loncapa\_apache\_local$<$dom$>$.conf, where $<$dom$>$
   39: is domain, to include items such as:
   40: 
   41: \begin{verbatim}
   42: PerlSetVar lonSSOUserLogoutHeadFile_<dom> /home/httpd/html/adm/sso_logout_head
   43: PerlSetVar lonSSOUserLogoutMessageFile_<dom> /home/httpd/html/adm/sso_logout_body
   44: PerlSetVar lonSSOUserUnknownRedirect /adm/sso_failed_login.html
   45: PerlSetVar lonSSOReloginServer https://somehost.somewhere.edu
   46: \end{verbatim}
   47: 
   48: and add the corresponding files owned by www:www in /home/httpd/html/adm/
   49: 
   50: \end{itemize}
   51: 
   52: Notes:
   53: \begin{enumerate}
   54: \item
   55: All files will contain HTML mark-up, but the sso\_logout\_head item is a fragment
   56: inserted into the head block of the standard LON-CAPA logout page, and similarly,
   57: the sso\_logout\_body is a fragment inserted into the body of the page,
   58: whereas the sso\_failed\_login.html file should be a complete HTML document.
   59: 
   60: If the name of the PerlVar ends \_$<$dom$>$ then the HTML fragment is only displayed
   61: to SSO users from that particular domain.  It is possible that a LON-CAPA user from another 
   62: domain might have used SSO authentication on a server in his/her home domain, and then switched 
   63: session to your server, (e.g., for co-author access to an Authoring Space in your domain).
   64: In that particular case, if you wanted to display custom HTML, you should add a PerlVar with a 
   65: name ending in \_$<$otherdom$>$. If you include PerlVars for lonSSOUserLogoutHeadFile
   66: and/or lonSSOUserLogoutMessageFile they will be included for SSO users who use the Logout link
   67: on your LON-CAPA regardless of the user's domain.
   68: 
   69: \item
   70: If you enable self-creation of SSO-authenticated users, then the sso\_failed\_login.html
   71: document need not be created.
   72: 
   73: \item
   74: If you would like the log-in again link on the logout page to point to a specific URL 
   75: just for SSO users, then you would set the PerlVar for lonSSOReloginServer. However, if 
   76: you would like the log-in link for all users from your domain (both SSO and non-SSO 
   77: authenticated) to point at a particular URL, then you would log-in to LON-CAPA, select
   78: a Domain Coordinator role, and use Main Menu -$>$ Set domain configuration -$>$ 
   79: Display (``Default authentication/language/timezone/portal/types'' checked) an set the URL
   80: in ``Portal/Default URL''.
   81: 
   82: \end{enumerate}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>