[LON-CAPA-admin] JA-SIG/Yale CAS with LON-CAPA

Mike Stanger mstanger at sfu.ca
Fri Apr 3 13:11:42 EDT 2009 

Thanks Stuart, HK and Stefan for your replies.  Sounds like there is a  
solid history of using CAS so I'll take these steps and try it out in  
the next couple of days.

I appreciate the feedback :-)

Cheers,
Mike

On Apr 2, 2009, at 8:23 AM, Stuart Raeburn wrote:

> Mike,
>
> At MSU, Single Sign On (SSO) for LON-CAPA has been implemented using  
> an Apache module (mod_sentinel) to communicate with a locally built  
> CAS system. Under the current implementation, page requests for  
> msu.loncapa.org from browsers without a valid LON-CAPA session  
> cookie are redirected by mod_sentinel to the centrally maintained  
> CAS log-in page (customizable for the application needing SSO auth).
>
> From the LON-CAPA side of things the following perl variables need  
> to be set in an Apache configuration file:
>
> PerlSetVar lonOtherAuthen yes
> PerlSetVar lonOtherAuthenType Sentinel
> PerlSetVar lonSSOUserUnknownRedirect /adm/sso_failed_login
> PerlSetVar lonSSOUserLogoutMessageFile /home/httpd/html/adm/ 
> sso_logout_link_html_frag
>
> PerlSetVar lonSSOReloginServer http://msu.loncapa.org
>
> (in this example Sentinel is the CAS system in use).
>
> Successful authentication by Sentinel makes the username of the  
> authenticated user available to LON-CAPA's Authz handler via $r- 
> >user, when SSO authentication has been used.
>
> Although the CAS (Sentinel) Apache module/configuration could have  
> been deployed on all MSU LON-CAPA servers, at MSU this is only run  
> on one server (which is aliased as msu.loncapa.org).  That  
> particular server only handles authentication and initiation of the  
> user's LON-CAPA session.  Once those are complete, the user's  
> session is switched using LON-CAPA's inbuilt load balancing to the  
> least loaded of the MSU access servers.
>
> This requires the following in the Apache configuration file:
>
> PerlSetVar lonBalancer yes
>
> This should be omitted if the server is to host LON-CAPA sessions in  
> the normal way.  Equally, a LON-CAPA server can be used as a load  
> balancing server without CAS authentication, if this single line is  
> included in a config file.
>
> One motivation for restricting SSO to the single load balancer  
> server, is that LON-CAPA users from another domain may find their  
> way directly to one of the MSU access servers.  In that case the  
> user needs the standard LON-CAPA log-in page (which includes a form  
> entry field for the user's domain).  A further motivation is the  
> issue of accommodating LON-CAPA users from the msu domain who do not  
> have institutional log-in IDs, i.e., those who use LON-CAPA internal  
> authentication.  This has been variously addressed with a link shown  
> on the CAS login page:
>
> "Log-in here username you use in LON-CAPA is not a NetID"
> where "here" is a link to /adm/login
>
> and also with a "Log-in help" link which points to: http://loncapa.msu.edu/login_info
>
> One further consideration is what to do about users who successfully  
> authenticate using CAS, but who do not have LON-CAPA accounts (the  
> "lonSSOUserUnknownRedirect" condition).  Under this condition, the  
> page defined for this PerlVar in the Apache config will be  
> displayed, or (if the domain has been configured to permit self- 
> creation of accounts - added in LON-CAPA 2.7), a page generated by / 
> adm/createaccount will be displayed to allow the user to confirm  
> that he/she wishes to create a LON-CAPA account using his/her CAS  
> username.
>
> Stuart Raeburn
> MSU LON-CAPA group
>
>
> Quoting Mike Stanger <mstanger at sfu.ca>:
>
>> We're considering integrating JA-SIG CAS (Central Authentication
>> System) with LON-CAPA.  I'm wondering what other schools' experience
>> has been with using CAS in LON-CAPA? Is there a 'right way' to go
>> about it?  My initial thought on how to put it in place is to protect
>> the entire space with mod_cas and grab the authenticated users from
>> apache's REMOTE-USER env var, completely overriding the initial login
>> page, which seems a bit kludgy.
>>
>> Any comments from those have experimented with, or are currently
>> running LON-CAPA with CAS would be greatly appreciated.
>>
>> Cheers,
>> Mike
>>
>>
>>
>>
>> +------------------------
>> |Mike Stanger
>> |Systems Consultant, ICAT
>> |SH1023 Simon Fraser University
>> |Burnaby, BC Canada V5A 1S6
>> |Phone: (778) 782-3361
>> |FAX: (778) 782-4242
>> |email: mstanger at sfu.ca
>> |http://www.sfu.ca/~mstanger
>
>
>
>
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

More information about the LON-CAPA-admin mailing list