[LON-CAPA-admin] SSO with Luminus?
glee at mines.edu
Wed May 2 11:29:39 EDT 2007
[I'm one of our Luminis portal admins and am working with Todd who is one of the
folks who takes care of LON-CAPA on our campus. I got your previous post from
Todd and thought I'd answer/ask some questions directly.]
> We've built it such that we expect the SSO system to act like a normal Apache
> authentication handler and thus supplant our login-screen for the SSO's login
> It's not expecting the SSO to be using lon-capa's normal login screen in the
> process in anyway.
> In some more detail the expected process is:
> - lon-capa get's a request for a url
> - it tries to find if there is an active session or if not, if the url is a
> public one
> - if neither of these are true then it attempts to hand the user request off
> to the SSO
> - the SSO is then expected to do whatever it wants to with the user,
> eventually handing the user back with the Apache request 'user' field
filled > in)
> This is how Apache Authentication handlers work.
> Thus in the case of SSO we don't expect to ever have the username or
> password to hand off.
> If this isn't how Luminus is expecting to work I'd need to know more about
it. > (Is this actually Luminis? Is there some public docs I could look at?)
The Luminis portal is a SunGard Higher Ed product that is based on Campus
Pipeline and Uportal. [At this point, there aren't any comprehensive public
Luminis SSO or GCF (General Connector Framework) docs that I know of... Not sure
who actually developed GCF. W/in the Luminis world, folks talk about SSOs, GCF
and CPIP (Campus Pipeline Integration Protocol) and I don't have a clear idea of
the distinctions between them.]
One way SSOs are handled on Luminis is by trying to use the existing login
process with a held a copy of the external system username/password and
take care of the authentication behind the scenes for the user ... that is, we
have stored login info for the user and submit the authentication request for
them and then pass back a valid URL/session/cookies to the client. [I believe
this is GCF stuff.] With this method we put a pickup.html file on the external
system to help us handle the cookies/session management, but the bulk of the SSO
setup is on the Luminis server rather than modifications on the external server.
The above process works pretty straight forward when the login form variable
names always stay the same... of course, this isn't the case with the LON-CAPA
login process where the password variable name changes every time you access the
login form. "GRAB"ing the changing variable names from the form is supposed to
be do-able, but I'm trying to figure out if the Apache module on the LON-CAPA
server might be an easier way to go...
A couple of questions about LON-CAPA and the Apache module:
- I'm assuming that the LON-CAPA system use the Apache web server and the SSO
module is just an add-on... rather than LON-CAPA using something else for web
services and then Apache *and* the Apache module needing to be installed for the
SSO? Hmmm, reading your notes, I think it could be either way?
- With the Apache module method, you mention that passwords are not handed
off... so is this basically a *trust* setup between the LON-CAPA server and the
portal? That is, the SSO/LON-CAPA will trust the portal and hand off a user
session without any direct user authentication on LON-CAPA or between LON-CAPA
and the portal?
I saw some notes that you wrote in a previous post... how do we get the LON-CAPA
SSO Apache module and install info?
o..................Have you played today?..................o
Ginny Lee ... glee at mines.edu ... 303.384.2122
Colorado School of Mines . Academic Computing and Networking
More information about the LON-CAPA-admin