[LON-CAPA-admin] Single Sign-On?

Guy Albertelli II guy at albertelli.com
Tue Nov 21 11:10:42 EST 2006 

Hi Todd,

> Is there any information on what it takes to incorporate single sign-on
> into LON-CAPA from a campus portal for the 2.2.x versions?

Ayup.

We've had a couple of success and I think worked through the possible
issues.

So here goes:

Single Sign On support is fully possible in a configurable way in
lon-capa 2.2.2


The requirement is that you'll need to have an Apache module (or
mod_perl handler) to be a last resort handler for the Authentication
phase. (And will put the lon-capa userid into the request 'user'
attribute)

Process to get things working:

- create and configure a server for lon-capa, but don't actually run
  the install.pl or UPDATE scripts.
  (it'll be easier to debug the next step if you wait on these for a bit)

- get the mod_<SSO> installed & working 
  - put all config vars that are need to get it running into a
    loncapa_apache_SSO.conf in the /etc/httpd/conf dir

- do the rest of the installation (run install.pl and install 2.2.2)

- add to the loncapa_apache_SSO.conf:

PerlSetVar lonOtherAuthen yes
PerlSetVar lonOtherAuthenType <whatever AuthType your SSO wants>

- going to /adm/roles should trigger SSO
- going to /adm/login should trigger lon-capa style authetication


Other optional config vars
- lonSSOUserUnknownRedirect
   - if the user is authenticated by SSO, but lon-capa doens't
     recoginze the user id, they normally get shown the lon-capa login
     page, you can specify a different url to redirect them to (say
     for instance an html file you have created in /home/httpd/html/adm/)
   Example:
    PerlSetVar lonSSOUserUnknownRedirect /adm/unknown_sso_user.html

- lonSSOUserLogoutMessageFile
   - when logging out of lon-capa if they SSOed in, you may want to
     provide them with a link to logout of the SSO auth too, you can use
     this var to point at a html fragment in a file somewhere on the
     system
   Example:
    PerlSetVar lonSSOUserLogoutMessageFile
    /home/httpd/html/adm/sso_logout_fragment

-- 
guy at albertelli.com   0-7-1-6-27,137

More information about the LON-CAPA-admin mailing list