[LON-CAPA-admin] Shib logout problem when redirected
Stuart Raeburn
raeburn at msu.edu
Thu Jan 8 20:30:25 EST 2015
Maged,
> I am not sure if this is the right place where the redirect is
> happening, but was wondering if there is any way to fix this problem.
Yes, that's where it's happening.
You could address this in one of the following ways:
(a) Include rewrites from http to https on your LON-CAPA library server.
LON-CAPA provides an Apache configuration file for that. On your
particular distro you would need to do:
sudo cp /etc/apache2/rewrites/loncapa_rewrite_on.conf
/etc/apache2/loncapa_rewrite.conf
You would also need to do:
sudo a2enmod rewrite
The include for the LON-CAPA rewrite:
Include conf/loncapa_rewrite.conf
is present in /etc/apache2/loncapa_apache.conf
However, with Ubuntu 14 the include line needs to be in the <VirtualHost *:80>
</Virtual> block. (the default /etc/apache2/sites-available/loncapa
installed by the install.pl script does that for Ubuntu 14).
If rewrites are not working with your distro/version after using
"a2enmod rewrite" and restarting Apache you may need to add:
Include conf/loncapa_rewrite.conf
to: /etc/apache2/sites-available/loncapa
before the closing </Virtual>
If you do enable rewrites from http to https using the LON-CAPA Apache
config file I would also recommend modification of the Apache config
file containing information for your virtual host for port 443 to
include:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} =on
RewriteRule ^/adm/wrapper/ext/(?!https:\/\/)
http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]
RewriteRule ^/public/.*/syllabus$
http://%{HTTP_HOST}%{REQUEST_URI} [R,L,NE]
</IfModule>
Typically, on your distro this will be: in the <VirtualHost
_default_:443> </VirtualHost> block in
/etc/apache2/sites-available/default-ssl.conf
-- or --
(b) Change the link you have defined in the content of your custom
file pointed to by $r->dir_config('lonSSOUserLogoutMessageFile') for
/Shibboleth.sso/Logout from a relative link to an absolute link, i.e.,
point it at: https://library1.lon-capa.uiuc.edu/Shibboleth.sso/Logout
on the library server.
The message being integrated into /adm/logout from
$r->dir_config('lonSSOUserLogoutMessageFile') on your library server
is currently:
> As your original log-in to LON-CAPA was authenticated by Illinois's
> central Shibboleth log-in service, your Shibboleth credentials are
> still valid.
> Until you close your web browser, Illinois web applications which
> support Shibboleth Single Sign-on (including LON-CAPA) will not
> require you to re-enter your Illinois ID/password.
>
> To expire your active Shibboleth authentication token log-out of
> your Shibboleth session.
>
(where log-out points at /Shibboleth.sso/Logout).
There also appears to be a meta-redirect included in the HTML fragment
somehow, (but with a timeout set to 0 so the page reloads before I can
view the HTML source). If that also includes /Shibboleth.sso/Logout
than you could make that an appropriate absolute link on each server
to https://<hostname>/Shibboleth.sso/Logout
-- or --
(c) Do:
sudo wget -O /home/httpd/lib/perl/Apache/switchserver.pm
'http://source.loncapa.org/cgi-bin/cvsweb.cgi/~checkout~/loncom/auth/switchserver.pm?rev=1.33;content-type=text/plain'
sudo service apache2 reload
to replace the version of switchserver.pm shipped with LON-CAPA 2.11.0
(1.32) with rev. 1.33 which replaces the hard-coded http items on
lines 101 and 196 (originally implemented in LON-CAPA rev. 2.6.0) with
dynamically set protocols (either http or https) based on what is
defined in /home/httpd/lonTabs/hosts.tab for the lonHostID of the
server which is hosting the user session.
Stuart Raeburn
LON-CAPA Academic Consortium
> Hi All,
>
> I came across a problem when I log in to one of my access nodes,
> then go to my authoring space on the library server, it seems that
> the switch server function sends me to:
>
> http://library1.lon-capa.uiuc.edu/....
>
> rather than:
>
> https://library1.lon-capa.uiuc.edu/...
>
> When I click logout from there, I end up with a non-existing page
> http://library1.lon-capa.uiuc.edu/Shibboleth.sso/Logout
> Rather than the working page,
> https://library1.lon-capa.uiuc.edu/Shibboleth.sso/Logout
>
> I looked at the code in: /home/httpd/lib/perl/Apache/switchserver.pm
>
> And noticed two places (line 101 and 196) where it specifies the url
> to start with http rather than https
>
> I am not sure if this is the right place where the redirect is
> happening, but was wondering if there is any way to fix this problem.
>
> Thanks,
>
> Maged
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
More information about the LON-CAPA-admin
mailing list