[LON-CAPA-admin] SSO with Luminus?

[Ginny Lee]

Guy,

[I'm one of our Luminis portal admins and am working with Todd who is one of the 
folks who takes care of LON-CAPA on our campus.  I got your previous post from 
Todd and thought I'd answer/ask some questions directly.]

[snips]
 > We've built it such that we expect the SSO system to act like a normal Apache
 > authentication handler and thus supplant our login-screen for the SSO's login 
 > screen.
 >
 > It's not expecting the SSO to be using lon-capa's normal login screen in the
 > process in anyway.
 >
 > In some more detail the expected process is:
 >
 > - lon-capa get's a request for a url
 > - it tries to find if there is an active session or if not, if the url is a
 >   public one
 > - if neither of these are true then it attempts to hand the user request off
 >   to the SSO
 > - the SSO is then expected to do whatever it wants to with the user,
 >   eventually handing the user back with the Apache request 'user' field 
filled >   in)
 >
 > This is how Apache Authentication handlers work.
 >
 > Thus in the case of SSO we don't expect to ever have the username or
 > password to hand off.
 >
 > If this isn't how Luminus is expecting to work I'd need to know more about 
it. > (Is this actually Luminis? Is there some public docs I could look at?)

The Luminis portal is a SunGard Higher Ed product that is based on Campus 
Pipeline and Uportal.  [At this point, there aren't any comprehensive public 
Luminis SSO or GCF (General Connector Framework) docs that I know of... Not sure 
who actually developed GCF.  W/in the Luminis world, folks talk about SSOs, GCF 
and CPIP (Campus Pipeline Integration Protocol) and I don't have a clear idea of 
the distinctions between them.]

One way SSOs are handled on Luminis is by trying to use the existing login 
process with a held a copy of the external system username/password and
take care of the authentication behind the scenes for the user ... that is, we 
have stored login info for the user and submit the authentication request for 
them and then pass back a valid URL/session/cookies to the client. [I believe 
this is GCF stuff.]  With this method we put a pickup.html file on the external 
system to help us handle the cookies/session management, but the bulk of the SSO 
setup is on the Luminis server rather than modifications on the external server.

The above process works pretty straight forward when the login form variable 
names always stay the same... of course, this isn't the case with the LON-CAPA 
login process where the password variable name changes every time you access the 
login form.  "GRAB"ing the changing variable names from the form is supposed to 
be do-able, but I'm trying to figure out if the Apache module on the LON-CAPA 
server might be an easier way to go...

A couple of questions about LON-CAPA and the Apache module:
- I'm assuming that the LON-CAPA system use the Apache web server and the SSO 
module is just an add-on... rather than LON-CAPA using something else for web 
services and then Apache *and* the Apache module needing to be installed for the 
SSO?  Hmmm, reading your notes, I think it could be either way?

- With the Apache module method, you mention that passwords are not handed 
off... so is this basically a *trust* setup between the LON-CAPA server and the 
portal?  That is, the SSO/LON-CAPA will trust the portal and hand off a user 
session without any direct user authentication on LON-CAPA or between LON-CAPA 
and the portal?

I saw some notes that you wrote in a previous post... how do we get the LON-CAPA 
SSO Apache module and install info?

Thanks... Ginny


-- 
o..................Have you played today?..................o
Ginny Lee   ...   glee at mines.edu   ...   303.384.2122
Colorado School of Mines . Academic Computing and Networking