[LON-CAPA-admin] Shibboleth
Christian Knieling
knieling at kit.edu
Thu Jan 23 08:11:24 EST 2014
Hi Stuart,
I'm grateful for this elaboration.
Probably I'll take a look into capturing those information presented in
the environment.
Before my query I tried it, but those environment variables weren't
available "at runtime on the createaccount.pm page". So I'll need to
save them elsewhere before, I guess.
If you have a hint for that, it is welcome. ;)
So far thanks for your answer
Christian
> Christian,
>
>> I'm trying to run LON-CAPA (v2.11 CVS-HEAD) authentication against a
>> Shibboleth-service. The authentication just works fine.
>
> It's good to learn that you have LON-CAPA Shibboleth authentication
> working, which is a new feature I implemented for the forthcoming 2.11
> LON-CAPA release.
>
> mod_shib will set $r->user to the username following successful
> Shibboleth authentication. Additionally, LON-CAPA's lonshibacc.pm
> module will remove all but the username, if $r->user was set to an
> institutional e-mail, e.g., sparty at msu.edu
>
> At present, retrieval of user information for a new user via the
> Shibboleth-specific mechanism of reading data passed to the Shibboleth
> SP in environment variables is not supported in LON-CAPA.
>
>> Now, how is it implemented in LON-CAPA to get these information. Is
>> there a LDAP service needed for searching those attributes or can I
>> somehow read those environment variables and use their content for the
>> account creation process?
>
> Currently, the procedure for LON-CAPA account creation for a new user
> who has successfully authenticated via some institutional log-in
> (Kerberos, LDAP, CAS-SSO, or Shibboleth SSO), but lacks a LON-CAPA user
> account, is the same regardless of the authentication method used.
>
> User information (e.g., first name, last name etc.) are retrieved from a
> call to the &get_userinfo() subroutine in the customized version of
> /home/httpd/lib/perl/localenroll.pm on the primary library server in
> your domain.
>
> Please refer to the documentation in
> /home/httpd/lib/perl/localenroll-std.pm on your development machine:
>
> su www
> perldoc /home/httpd/lib/perl/localenroll-std.pm
>
> Incoming data: four required arguments, and additional optional arguments.
> Your particular use case is the first mode of use for &get_userinfo()
> described in the perldoc, i.e.,
>
> Retrieve institutional data for a single user by username when $uname is
> included as the second argument.
>
> Arguments are:
>
> (a) $dom - domain
> (b) $uname - username of user
> (c) $id - student/faculty ID of user
> (d) $instusers - reference to hash which will contain info for user
> as key = value; keys will be one or all of:
> lastname,firstname,middlename,generation,id,inststatus -
> institutional status (e.g., faculty,staff,student)
> Values are all scalars except inststatus, which is an
> array.
>
> Your customization of localenroll::get_userinfo() needs to populate the
> instusers hash ref, and you might also populate the optional hash ref:
> $instids
> (reference to hash which will contain ID numbers - keys will be unique
> IDs (student or faculty/staff ID) values will be either: scalar
> (username) or an array if a single ID matches multiple usernames.).
>
> You might use a request to your institution's LDAP service for the user
> information for username: $uname.
>
> Note: the web-based LON-CAPA Domain Configuration menu, available to
> Domain Coordinators:
>
> Main Menu -> Set domain configuration -> Display (User modification check).
>
> includes the item: "Information settable when self-creating account (if
> directory data blank)".
>
> This allows you to set which types of user information (if any) you will
> allow a user creating his/her own LON-CAPA account to enter in the web
> form displayed following institutional authentication -- should
> &get_userinfo() not be configured.
>
> Let me know if you have any questions.
>
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
>
>
> Quoting Christian Knieling <knieling at kit.edu>:
>
>> Greetings everyone,
>>
>> I'm trying to run LON-CAPA (v2.11 CVS-HEAD) authentication against a
>> Shibboleth-service. The authentication just works fine. I've trouble
>> getting the appropiate user details for the account creation process.
>>
>> As far as I know the Shibboleth identity provider can dictate what
>> information of the user details will be revealed to the service provider
>> (here my LON-CAPA standalone machine).
>>
>> I've got told that my machine will get (besides some other information)
>> those three attributes: sn, givenName, mail
>>
>> From some other experience with Shiobboleth and PHP I know that those
>> information should be accessible as environment variables of the web
>> session.
>>
>> Now, how is it implemented in LON-CAPA to get these information. Is
>> there a LDAP service needed for searching those attributes or can I
>> somehow read those environment variables and use their content for the
>> account creation process?
>>
>> Some pointers into the right direction would be great.
>>
>> Thanks,
>> Christian
>
>
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
--
Karlsruher Institut für Technologie (KIT)
Institut für Angewandte und Numerische Mathematik 1
Christian Knieling
IT-Administration
Kaiserstraße 89-93
Gebäude 05.20, Raum 3B-05-1
76133 Karlsruhe
Telefon: +49 721 608-45810
Fax: +49 721 608-43767
E-Mail: Christian.Knieling at kit.edu
Web: http://na.math.kit.edu/
KIT – Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft
More information about the LON-CAPA-admin
mailing list