[LON-CAPA-admin] External Links to Courses

Stuart Raeburn raeburn at msu.edu
Fri Dec 16 11:08:52 EST 2016


Lee,

>>
>> I tend to be sent to the non-sso login page  when it fails, even if  
>>  I am already logged in.
>>

After some more investigation, I am able to reproduce this behavior on  
a load balancer using SSO, in the case where the target role included  
in the query string is not assigned to the user. A 403 response was  
being returned in this case, for which the custom error document is  
/adm/login.

Other failure modes (e.g., wrong password etc.) do not result in that  
behavior, but instead allow the user to re-enter the correct  
credentials, before transferring the user's session to the  
session-hosting server, and initializing the requested role (if  
legitimate).

Anyway, I have made a change to switchserver.pm to change the behavior  
in the case of an invalid target role, so that the user session will  
now be transferred to the server hosting the session, and the roles  
page is displayed.

If you want to modify a LON-CAPA server running 2.11.1 you can do so  
as follows with following command all on one line:

wget -O /home/httpd/lib/perl/Apache/switchserver  
'http://source.loncapa.org/cgi-bin/cvsweb.cgi/~checkout~/loncom/auth/switchserver.pm?rev=1.35;content-type=text/plain'

followed by reloading Apache.

The need to use a URL such as:
https://hostname/adm/roles?role=cc./domain/course_identifier

is not ideal, in any case, if you want to simply link to a course from  
outside LON-CAPA, because what you'd prefer to do is provide just the  
course, e.g., domain/course_identifier, and then have LON-CAPA assign  
the role (i.e., cc, st etc. as appropriate).  Better yet would be the  
possibility of using a tiny URL, instead of the cumbersome domain and  
course identifier.

There is an existing enhancement request for that, see:
http://bugs.loncapa.org/show_bug.cgi?id=6400#c3


Stuart Raeburn
LON-CAPA Academic Consortium


Quoting Stuart Raeburn <raeburn at msu.edu>:

> Hello Lee,
>
> If a query string specifying the target role is appended to a request
> for the URL: /adm/roles then, as long as the user actually has been
> assigned the specified role (and it has neither an expired nor future
> role), then that role will be initialized after login (and after
> session transfer to the session-hosting server -- if load balanced) in
> all of the following cases:
>
> (a) User logs-in using Single Sign On (SSO) via a load balancer server
> (b) User logs-in using the regular (non-SSO) LON-CAPA log-in via a load
> balancer
> (c) User logs-in using SSO to a server which also hosts the user session.
> (d) User logs-in using the regular (non-SSO) LON-CAPA log-in to a
> server which also hosts the user session.
>
> Cases (a) and (c) work in the msu domain for MSU's CAS-type SSO
> (Sentinel). I have also had success in the msu domain for case (c) with
> Shibboleth within a test environment.  I expect Shibboleth would also
> work with case (a) but I don't currently have a test environment at MSU
> configured for a Shibboleth-enabled load balancer.
>
> If the user is already logged-in to a LON-CAPA server "hostname", then
> the roles screen will be displayed for a URL of
> https://hostname/adm/roles?role=cc./domain/course_identifier, and the
> role will not be automatically changed/initialized.
>
>>
>> I tend to be sent to the non-sso login page  when it fails, even if  
>>  I am already logged in.
>>
>
> I have not seen that behavior in the cases I've tested in the msu
> domain in either production, or in the testdrive cluster.
>
> It would be straightforward to change the behavior of /adm/roles for
> logged-in users from displaying the standard LON-CAPA roles screen to
> initializing the role when passed a query string containing
> role==cc./domain/course_identifier.
>
> Currently to force role initialization for a logged-in user you would
> use a URL with a different query string, i.e.,
>
> /adm/roles?selectrole=1&cc.%2fdomain%2fcourse_identifier=1
>
> Note: if you include symb=unique_resource_identifier as an additional
> item in the query string, you can jump directly to a specific item in a
> course.
>
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
>
>
> Quoting "Bynum, Lee Hamilton" <leebynum at illinois.edu>:
>
>> Hello Everyone,
>>
>> I am working on building links to our courses from the outside.     
>> I've been having some success with links of the following format:
>>
>> https://server/adm/roles?role=cc./domain/course_identifier
>>
>> Unfortunately, this doesn't seem to work once I am logged into the   
>>  server.  It also fails if I attempt to use the st role.  I suspect  
>>   that something is getting mixed up or lost in either the balancer  
>>  or  the sso interaction.  I tend to be sent to the non-sso login   
>> page  when it fails, even if I am already logged in.
>>
>> Has anyone had any success in similar things?
>>
>> Thanks,
>>
>> Lee
>> _______________________________________________
>> LON-CAPA-admin mailing list
>> LON-CAPA-admin at mail.lon-capa.org
>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin



More information about the LON-CAPA-admin mailing list