[LON-CAPA-admin] JA-SIG/Yale CAS with LON-CAPA

[Stuart Raeburn]

Mike,

At MSU, Single Sign On (SSO) for LON-CAPA has been implemented using  
an Apache module (mod_sentinel) to communicate with a locally built  
CAS system. Under the current implementation, page requests for  
msu.loncapa.org from browsers without a valid LON-CAPA session cookie  
are redirected by mod_sentinel to the centrally maintained CAS log-in  
page (customizable for the application needing SSO auth).

 From the LON-CAPA side of things the following perl variables need to  
be set in an Apache configuration file:

PerlSetVar lonOtherAuthen yes
PerlSetVar lonOtherAuthenType Sentinel
PerlSetVar lonSSOUserUnknownRedirect /adm/sso_failed_login
PerlSetVar lonSSOUserLogoutMessageFile  
/home/httpd/html/adm/sso_logout_link_html_frag

PerlSetVar lonSSOReloginServer http://msu.loncapa.org

(in this example Sentinel is the CAS system in use).

Successful authentication by Sentinel makes the username of the  
authenticated user available to LON-CAPA's Authz handler via $r->user,  
when SSO authentication has been used.

Although the CAS (Sentinel) Apache module/configuration could have  
been deployed on all MSU LON-CAPA servers, at MSU this is only run on  
one server (which is aliased as msu.loncapa.org).  That particular  
server only handles authentication and initiation of the user's  
LON-CAPA session.  Once those are complete, the user's session is  
switched using LON-CAPA's inbuilt load balancing to the least loaded  
of the MSU access servers.

This requires the following in the Apache configuration file:

PerlSetVar lonBalancer yes

This should be omitted if the server is to host LON-CAPA sessions in  
the normal way.  Equally, a LON-CAPA server can be used as a load  
balancing server without CAS authentication, if this single line is  
included in a config file.

One motivation for restricting SSO to the single load balancer server,  
is that LON-CAPA users from another domain may find their way directly  
to one of the MSU access servers.  In that case the user needs the  
standard LON-CAPA log-in page (which includes a form entry field for  
the user's domain).  A further motivation is the issue of  
accommodating LON-CAPA users from the msu domain who do not have  
institutional log-in IDs, i.e., those who use LON-CAPA internal  
authentication.  This has been variously addressed with a link shown  
on the CAS login page:

"Log-in here username you use in LON-CAPA is not a NetID"
where "here" is a link to /adm/login

and also with a "Log-in help" link which points to:  
http://loncapa.msu.edu/login_info

One further consideration is what to do about users who successfully  
authenticate using CAS, but who do not have LON-CAPA accounts (the  
"lonSSOUserUnknownRedirect" condition).  Under this condition, the  
page defined for this PerlVar in the Apache config will be displayed,  
or (if the domain has been configured to permit self-creation of  
accounts - added in LON-CAPA 2.7), a page generated by  
/adm/createaccount will be displayed to allow the user to confirm that  
he/she wishes to create a LON-CAPA account using his/her CAS username.

Stuart Raeburn
MSU LON-CAPA group


Quoting Mike Stanger <mstanger at sfu.ca>:

> We're considering integrating JA-SIG CAS (Central Authentication
> System) with LON-CAPA.  I'm wondering what other schools' experience
> has been with using CAS in LON-CAPA? Is there a 'right way' to go
> about it?  My initial thought on how to put it in place is to protect
> the entire space with mod_cas and grab the authenticated users from
> apache's REMOTE-USER env var, completely overriding the initial login
> page, which seems a bit kludgy.
>
> Any comments from those have experimented with, or are currently
> running LON-CAPA with CAS would be greatly appreciated.
>
> Cheers,
> Mike
>
>
>
>
> +------------------------
> |Mike Stanger
> |Systems Consultant, ICAT
> |SH1023 Simon Fraser University
> |Burnaby, BC Canada V5A 1S6
> |Phone: (778) 782-3361
> |FAX: (778) 782-4242
> |email: mstanger at sfu.ca
> |http://www.sfu.ca/~mstanger