[LON-CAPA-admin] Shibboleth

Stuart Raeburn raeburn at msu.edu
Tue Jan 21 16:05:33 EST 2014 

Christian,

> I'm trying to run LON-CAPA (v2.11 CVS-HEAD) authentication against a
> Shibboleth-service. The authentication just works fine.

It's good to learn that you have LON-CAPA Shibboleth authentication  
working, which is a new feature I implemented for the forthcoming 2.11  
LON-CAPA release.

mod_shib will set $r->user to the username following successful  
Shibboleth authentication.  Additionally, LON-CAPA's lonshibacc.pm  
module will remove all but the username, if $r->user was set to an  
institutional e-mail, e.g., sparty at msu.edu

At present, retrieval of user information for a new user via the  
Shibboleth-specific mechanism of reading data passed to the Shibboleth  
SP in environment variables is not supported in LON-CAPA.

> Now, how is it implemented in LON-CAPA to get these information. Is
> there a LDAP service needed for searching those attributes or can I
> somehow read those environment variables and use their content for the
> account creation process?

Currently, the procedure for LON-CAPA account creation for a new user  
who has successfully authenticated via some institutional log-in  
(Kerberos, LDAP, CAS-SSO, or Shibboleth SSO), but lacks a LON-CAPA  
user account, is the same regardless of the authentication method used.

User information (e.g., first name, last name etc.) are retrieved from  
a call to the &get_userinfo() subroutine in the customized version of  
/home/httpd/lib/perl/localenroll.pm on the primary library server in  
your domain.

Please refer to the documentation in  
/home/httpd/lib/perl/localenroll-std.pm on your development machine:

su www
perldoc /home/httpd/lib/perl/localenroll-std.pm

Incoming data: four required arguments, and additional optional arguments.
Your particular use case is the first mode of use for &get_userinfo()
described in the perldoc, i.e.,

Retrieve institutional data for a single user by username when $uname  
is included as the second argument.

Arguments are:

(a) $dom - domain
(b) $uname - username of user
(c) $id - student/faculty ID of user
(d) $instusers - reference to hash which will contain info for user
                  as key = value; keys will be one or all of:
                  lastname,firstname,middlename,generation,id,inststatus -
                  institutional status (e.g., faculty,staff,student)
                  Values are all scalars except inststatus, which is an array.

Your customization of localenroll::get_userinfo() needs to populate  
the instusers hash ref, and you might also populate the optional hash  
ref: $instids
(reference to hash which will contain ID numbers - keys will be unique  
IDs (student or faculty/staff ID) values will be either: scalar  
(username) or an array if a single ID matches multiple usernames.).

You might use a request to your institution's LDAP service for the  
user information for username: $uname.

Note: the web-based LON-CAPA Domain Configuration menu, available to  
Domain Coordinators:

Main Menu -> Set domain configuration -> Display (User modification check).

includes the item: "Information settable when self-creating account  
(if directory data blank)".

This allows you to set which types of user information (if any) you  
will allow a user creating his/her own LON-CAPA account to enter in  
the web form displayed following institutional authentication --  
should &get_userinfo() not be configured.

Let me know if you have any questions.


Stuart Raeburn
LON-CAPA Academic Consortium


Quoting Christian Knieling <knieling at kit.edu>:

> Greetings everyone,
>
> I'm trying to run LON-CAPA (v2.11 CVS-HEAD) authentication against a
> Shibboleth-service. The authentication just works fine. I've trouble
> getting the appropiate user details for the account creation process.
>
> As far as I know the Shibboleth identity provider can dictate what
> information of the user details will be revealed to the service provider
> (here my LON-CAPA standalone machine).
>
> I've got told that my machine will get (besides some other information)
> those three attributes: sn, givenName, mail
>
> From some other experience with Shiobboleth and PHP I know that those
> information should be accessible as environment variables of the web
> session.
>
> Now, how is it implemented in LON-CAPA to get these information. Is
> there a LDAP service needed for searching those attributes or can I
> somehow read those environment variables and use their content for the
> account creation process?
>
> Some pointers into the right direction would be great.
>
> Thanks,
> Christian

More information about the LON-CAPA-admin mailing list