[LON-CAPA-admin] Shib logout problem when redirected

Stuart Raeburn raeburn at msu.edu
Thu Jan 8 20:30:25 EST 2015


> I am not sure if this is the right place where the redirect is   
> happening, but was wondering if there is any way to fix this problem.

Yes, that's where it's happening.
You could address this in one of the following ways:

(a) Include rewrites from http to https on your LON-CAPA library server.
LON-CAPA provides an Apache configuration file for that.  On your  
particular distro you would need to do:

sudo cp /etc/apache2/rewrites/loncapa_rewrite_on.conf  

You would also need to do:

sudo a2enmod rewrite

The include for the LON-CAPA rewrite:

Include conf/loncapa_rewrite.conf

is present in /etc/apache2/loncapa_apache.conf

However, with Ubuntu 14 the include line needs to be in the <VirtualHost *:80>
</Virtual> block. (the default /etc/apache2/sites-available/loncapa  
installed by the install.pl script does that for Ubuntu 14).

If rewrites are not working with your distro/version after using  
"a2enmod rewrite" and restarting Apache you may need to add:

Include conf/loncapa_rewrite.conf

to: /etc/apache2/sites-available/loncapa
before the closing </Virtual>

If you do enable rewrites from http to https using the LON-CAPA Apache  
config file I would also recommend modification of the Apache config  
file containing information for your virtual host for port 443 to  

  <IfModule mod_rewrite.c>
      RewriteEngine on
      RewriteCond %{HTTPS} =on
      RewriteRule ^/adm/wrapper/ext/(?!https:\/\/)
      RewriteRule ^/public/.*/syllabus$

Typically, on your distro this will be: in the <VirtualHost  
_default_:443> </VirtualHost> block in  

-- or --

(b) Change the link you have defined in the content of your custom  
file pointed to by $r->dir_config('lonSSOUserLogoutMessageFile') for  
/Shibboleth.sso/Logout from a relative link to an absolute link, i.e.,  
point it at: https://library1.lon-capa.uiuc.edu/Shibboleth.sso/Logout
on the library server.

The message being integrated into /adm/logout from  
$r->dir_config('lonSSOUserLogoutMessageFile') on your library server  
is currently:

> As your original log-in to LON-CAPA was authenticated by Illinois's  
> central Shibboleth log-in service, your Shibboleth credentials are  
> still valid.
> Until you close your web browser, Illinois web applications which  
> support Shibboleth Single Sign-on (including LON-CAPA) will not  
> require you to re-enter your Illinois ID/password.
> To expire your active Shibboleth authentication token log-out of  
> your Shibboleth session.

(where log-out points at /Shibboleth.sso/Logout).

There also appears to be a meta-redirect included in the HTML fragment  
somehow, (but with a timeout set to 0 so the page reloads before I can  
view the HTML source).  If that also includes /Shibboleth.sso/Logout  
than you could make that an appropriate absolute link on each server  
to https://<hostname>/Shibboleth.sso/Logout

-- or --

(c) Do:

sudo wget -O /home/httpd/lib/perl/Apache/switchserver.pm  

sudo service apache2 reload

to replace the version of switchserver.pm shipped with LON-CAPA 2.11.0  
(1.32) with rev. 1.33 which replaces the hard-coded http items on  
lines 101 and 196 (originally implemented in LON-CAPA rev. 2.6.0) with  
dynamically set protocols (either http or https) based on what is  
defined in /home/httpd/lonTabs/hosts.tab for the lonHostID of the  
server which is hosting the user session.

Stuart Raeburn
LON-CAPA Academic Consortium

> Hi All,
> I came across a problem when I log in to one of my access nodes,   
> then go to my authoring space on the library server, it seems that   
> the switch server function sends me to:
> http://library1.lon-capa.uiuc.edu/....
> rather than:
> https://library1.lon-capa.uiuc.edu/...
> When I click logout from there, I end up with a non-existing page   
> http://library1.lon-capa.uiuc.edu/Shibboleth.sso/Logout
> Rather than the working page,   
> https://library1.lon-capa.uiuc.edu/Shibboleth.sso/Logout
> I looked at the code in: /home/httpd/lib/perl/Apache/switchserver.pm
> And noticed two places (line 101 and 196) where it specifies the url  
>  to start with http rather than https
> I am not sure if this is the right place where the redirect is   
> happening, but was wondering if there is any way to fix this problem.
> Thanks,
> Maged
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

More information about the LON-CAPA-admin mailing list