\end{verbatim}
and add the corresponding files owned by www:www in /home/httpd/html/adm/
Notes:
\begin{enumerate}
\item
All files will contain HTML mark-up, but the sso\_logout\_head item is a fragment
inserted into the head block of the standard LON-CAPA logout page, and similarly,
the sso\_logout\_body is a fragment inserted into the body of the page,
whereas the sso\_failed\_login.html file should be a complete HTML document.
If the name of the PerlVar ends \_$<$dom$>$ then the HTML fragment is only displayed
to SSO users from that particular domain. It is possible that a LON-CAPA user from another
domain might have used SSO authentication on a server in his/her home domain, and then switched
session to your server, (e.g., for co-author access to an Authoring Space in your domain).
In that particular case, if you wanted to display custom HTML, you should add a PerlVar with a
name ending in \_$<$otherdom$>$. If you include PerlVars for lonSSOUserLogoutHeadFile
and/or lonSSOUserLogoutMessageFile they will be included for SSO users who use the Logout link
on your LON-CAPA regardless of the user's domain.
\item
SAML 2 Single Logout (SLO) has limited support starting with IdP's running Shibboleth 2.4.
The $<$Logout$>$ element is used to enable and configure support for Logout protocols and behavior
within the SP, e.g.,
\begin{verbatim}
SAML2 Local
\end{verbatim}
to support both local, i.e., for the SP itself (Local), and also in a limited way for the IdP (SAML2).
In pre-2.4 Shibboleth2 /etc/shibboleth2.xml LogoutInitiators enable SP-initiated local logout
e.g., https://yourserver/Shibboleth.sso/Logout.
Depending on the availability of SLO support from your institution's IdP you should craft an appropriate
message to include in sso\_logout\_body. If you include a link to the URL for a local logout,
you should indicate that access to other web applications using SSO may continue to be available, even
after logout from the specific SP. If no local logout is provided, then after logout from LON-CAPA,
the web browser needs to be quit, to ensure access to LON-CAPA requires re-authentication.
\item
If you enable self-creation of SSO-authenticated users, then the sso\_failed\_login.html
document need not be created.
Attributes provided to the SP by the IdP are available to LON-CAPA as Environment variables.
For Shibboleth SSO users, mapping of Shibboleth environment variable names to user data fields
can be set so that the appropriate user information is available at account creation time. The
mapping of variable name to LON-CAPA data name will be set by a domain cordinator using the
domain configuration screen for ``Users self-creating accounts''.
Note: user data for a new user need not come from Environment variables populated by Shibboeth;
instead it can come from a customized get\_userinfo() routine in /home/httpd/lib/perl/localenroll.pm
(see Directory Information \ref{Institutional_Integration_Identity_Management} section).
\end{enumerate}
e.g., sso\_logout\_body
\begin{verbatim}
As your original log-in to LON-CAPA was authenticated by a central Shibboleth
Single Sign On service, your Shibboleth credentials are still valid.
Until you close your web browser, web applications which support Shibboleth
Single Sign-on (including LON-CAPA) will not require you to re-enter your
username and password
To expire your active Shibboleth authentication token you must quit your web
browser.
\end{verbatim}
e.g., sso\_failed\_login.html
\begin{verbatim}
No LON-CAPA Account
You have authentication using Shibboleth Single Sign On service was
successful.
However, you do not currently have a LON-CAPA account with the username
with which you authenticated.
Policies at your institution do not allow you to create a LON-CAPA account
yourself, after successful authentication.
Please contact the LON-CAPA Helpdesk for your
domain.
Your Shibboleth credentials are still valid.
Until you close your web browser, web applications which support Shibboleth
Single Sign-on will not require you to re-enter your username and password
To expire your active Shibboleth authentication token you must quit your web
browser.
\end{verbatim}
\end{enumerate}