[LON-CAPA-admin] lonBalancer and SSO

Guy Albertelli II guy at albertelli.com
Tue Jul 31 21:12:20 EDT 2007 

Hi Mark,

- if you want your students to be able to login through either
  explicit /adm/login or on machines not at ohiou, you will need to
  have a means for loncapa to authenticate the user, this would be
  making localauth.pm to Shibboleth if that is possible.

- if you are using the lonBalancer mechanism, note that _only_ the
  balancer server needs to authenticate, after that they can be
  offloaded to any other machine in the network (through switch
  server) without having to re-authenticate.


> I'm trying to get my head wrapped around SSO (I'm working with shibboleth 
> here at Ohio University) and how this mucks with the flexibility of 
> LON-CAPA.
> 
> We are currently using kerberos 5 for our central authentication. This 
> will be removed in the future at some point.
> 
> I have Shibboleth set up and working on our development machine, but I'm 
> trying to sort out what this will look like in production.
> 
> Is there any documentation on lonbalancer around? Does this have to be a 
> separate machine or can it be one of the access servers?

if you set in say loncapa_apache_local.cong

PerlSetVar lonBalancer yes

Then that machine will authenticate but after that will switch server
the user to a machine in spare.tab (you can setup 2 classes of servers
'primary' and 'default' where it will offload to primary servers until
they are all over 100% utilization and then it will start sending to
'default'



> I know that /adm/login will bring up the regular login and /adm/roles (or 
> also just the machine url) will bring up SSO. I'm presuming the best route 
> will be to point all activity to the balancing machine.

Yes, that is what we do here, and since the machine never hosts
sessions it will always be able to auth and then offload to who ever
isn't busy. (And since all it is doing is auth it can be the oldest
slowest machine you have)

> How do I let LON-CAPA know students will be authenticated through 
> shibboleth?

http://mail.lon-capa.org/pipermail/lon-capa-admin/2006-November/001568.html

When you set 

PerlSetVar lonOtherAuthen yes
PerlSetVar lonOtherAuthenType <whatever AuthType your SSO wants>

What occurs is 

- lon-capa checks if the url they want is public (if so they get it)
- it then checks if they have a valid cookie (if so they go on)
- it then sets the AuthenType to what you specfied and tells Apache it
  declines to authenticate the user (but doesn't 'fail' the access
  it),  if you have installed your Apache Authentication module
  properly Apache will then ask you module it wants to authenticate
  the access, eventually your module must 
    - set the Apache request object's 'user' field to the username
    - and return an OK to Apache 

- once the Authentication pass is successful, lonacc runs as the
  Authorization pass, and checks
    - for a valid cookie (if so then it does all of the internal
  lon-capa privledge checks)
    - if no cookie, it checks $r->user, and sees if the username in
  there is a valid lon-capa user for your domain, if it is it logs the
  user in and setsup the cookie and then proceeds to do all of the
  lon-capa internal privledge checks
    - if $r->user is invalid (no lon-capa user by that name) you can
  configure what occurs then, (this would be a user who is valid at
  the university but does not have a lon-capa account yet)


    


> Is there any way to shunt an attempted login from a student 
> who needs to use shibboleth to the proper place?


At MSU we force everyone to login through the SSO authentication. And
the few users who need to know about /adm/login we tell.

> Will students be able to log in elsewhere (MSU)? and work on materials? 
> I'm presuming not.

It depends on whether lond can made to also authenticate against
Shibboleth.


> Any help visualizing what this will look like, with associated advantages 
> and disadvantages would be greatly appreciate.

So it appears to me that you will need to either

1 - make a localauth.pm that can autheticate a password/username against
    Shibboleth
      - Advantages -> nothing really changes from how it worked before
      - Disadvantages -> lon-capa is still handling passwords
                      -> users need to authenticate multiple times

2 - make an Apache Authentication module work that does Shibboleth SSO
      - Advantages -> lon-capa no longer handling passwords
                   -> users who have authenticated at some other
		      location at the university can one click their way
		      into lon-capa
      - Disadvantages -> users will need to login through an ohiou
                         machine (but once in they can go anywhere in
			 the system either by beng offladed or by
			 switch servering)

3 - both 1 & 2 (this is what we do here at MSU)
      - Advantages -> best of both worlds (users if they have
                      bookmarks to machines or /adm/login won't get confused)
      - Disadvantages -> need to do both 1 & 2


Hopefuly things are slightly more clear? 

-- 
guy at albertelli.com   0-7-0-9-27,137

More information about the LON-CAPA-admin mailing list