[LON-CAPA-admin] Shibboleth

Christian Knieling knieling at kit.edu
Thu Jan 23 08:11:24 EST 2014 

Hi Stuart,

I'm grateful for this elaboration.

Probably I'll take a look into capturing those information presented in
the environment.

Before my query I tried it, but those environment variables weren't
available "at runtime on the createaccount.pm page". So I'll need to
save them elsewhere before, I guess.

If you have a hint for that, it is welcome. ;)

So far thanks for your answer
Christian


> Christian,
> 
>> I'm trying to run LON-CAPA (v2.11 CVS-HEAD) authentication against a
>> Shibboleth-service. The authentication just works fine.
> 
> It's good to learn that you have LON-CAPA Shibboleth authentication
> working, which is a new feature I implemented for the forthcoming 2.11
> LON-CAPA release.
> 
> mod_shib will set $r->user to the username following successful
> Shibboleth authentication.  Additionally, LON-CAPA's lonshibacc.pm
> module will remove all but the username, if $r->user was set to an
> institutional e-mail, e.g., sparty at msu.edu
> 
> At present, retrieval of user information for a new user via the
> Shibboleth-specific mechanism of reading data passed to the Shibboleth
> SP in environment variables is not supported in LON-CAPA.
> 
>> Now, how is it implemented in LON-CAPA to get these information. Is
>> there a LDAP service needed for searching those attributes or can I
>> somehow read those environment variables and use their content for the
>> account creation process?
> 
> Currently, the procedure for LON-CAPA account creation for a new user
> who has successfully authenticated via some institutional log-in
> (Kerberos, LDAP, CAS-SSO, or Shibboleth SSO), but lacks a LON-CAPA user
> account, is the same regardless of the authentication method used.
> 
> User information (e.g., first name, last name etc.) are retrieved from a
> call to the &get_userinfo() subroutine in the customized version of
> /home/httpd/lib/perl/localenroll.pm on the primary library server in
> your domain.
> 
> Please refer to the documentation in
> /home/httpd/lib/perl/localenroll-std.pm on your development machine:
> 
> su www
> perldoc /home/httpd/lib/perl/localenroll-std.pm
> 
> Incoming data: four required arguments, and additional optional arguments.
> Your particular use case is the first mode of use for &get_userinfo()
> described in the perldoc, i.e.,
> 
> Retrieve institutional data for a single user by username when $uname is
> included as the second argument.
> 
> Arguments are:
> 
> (a) $dom - domain
> (b) $uname - username of user
> (c) $id - student/faculty ID of user
> (d) $instusers - reference to hash which will contain info for user
>                  as key = value; keys will be one or all of:
>                  lastname,firstname,middlename,generation,id,inststatus -
>                  institutional status (e.g., faculty,staff,student)
>                  Values are all scalars except inststatus, which is an
> array.
> 
> Your customization of localenroll::get_userinfo() needs to populate the
> instusers hash ref, and you might also populate the optional hash ref:
> $instids
> (reference to hash which will contain ID numbers - keys will be unique
> IDs (student or faculty/staff ID) values will be either: scalar
> (username) or an array if a single ID matches multiple usernames.).
> 
> You might use a request to your institution's LDAP service for the user
> information for username: $uname.
> 
> Note: the web-based LON-CAPA Domain Configuration menu, available to
> Domain Coordinators:
> 
> Main Menu -> Set domain configuration -> Display (User modification check).
> 
> includes the item: "Information settable when self-creating account (if
> directory data blank)".
> 
> This allows you to set which types of user information (if any) you will
> allow a user creating his/her own LON-CAPA account to enter in the web
> form displayed following institutional authentication -- should
> &get_userinfo() not be configured.
> 
> Let me know if you have any questions.
> 
> 
> Stuart Raeburn
> LON-CAPA Academic Consortium
> 
> 
> Quoting Christian Knieling <knieling at kit.edu>:
> 
>> Greetings everyone,
>>
>> I'm trying to run LON-CAPA (v2.11 CVS-HEAD) authentication against a
>> Shibboleth-service. The authentication just works fine. I've trouble
>> getting the appropiate user details for the account creation process.
>>
>> As far as I know the Shibboleth identity provider can dictate what
>> information of the user details will be revealed to the service provider
>> (here my LON-CAPA standalone machine).
>>
>> I've got told that my machine will get (besides some other information)
>> those three attributes: sn, givenName, mail
>>
>> From some other experience with Shiobboleth and PHP I know that those
>> information should be accessible as environment variables of the web
>> session.
>>
>> Now, how is it implemented in LON-CAPA to get these information. Is
>> there a LDAP service needed for searching those attributes or can I
>> somehow read those environment variables and use their content for the
>> account creation process?
>>
>> Some pointers into the right direction would be great.
>>
>> Thanks,
>> Christian
> 
> 
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin


-- 
Karlsruher Institut für Technologie (KIT)
Institut für Angewandte und Numerische Mathematik 1

Christian Knieling
IT-Administration

Kaiserstraße 89-93
Gebäude 05.20, Raum 3B-05-1
76133 Karlsruhe

Telefon: +49 721 608-45810
Fax:     +49 721 608-43767
E-Mail:  Christian.Knieling at kit.edu
Web:     http://na.math.kit.edu/

KIT – Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft

More information about the LON-CAPA-admin mailing list