[LON-CAPA-cvs] cvs: loncom / lontrans.pm /auth lonshibacc.pm lonshibauth.pm /interface domainprefs.pm /lonnet/perl lonnet.pm

raeburn raeburn at source.lon-capa.org
Sun Dec 5 22:31:55 EST 2021


raeburn		Mon Dec  6 03:31:55 2021 EDT

  Modified files:              
    /loncom/auth	lonshibauth.pm lonshibacc.pm 
    /loncom	lontrans.pm 
    /loncom/interface	domainprefs.pm 
    /loncom/lonnet/perl	lonnet.pm 
  Log:
  - Dual SSO and non-SSO login from /adm/login for use with additional SSO
    mechanisms besides Shibboleth.
    - Default is to use /adm/sso for "authentication" URL.
    - Different authentication URL can be set with lonOtherAuthenUrl perlvar.
    - Update documentation for lonshibauth.pm and lonshibacc.pm
    - Wording change for WAF/Proxy domain configuration 
    - If Apache config contains lonSSOEmailOK set to 1, default removal
      of @ "internet domain" from username for SSO authenticated users in
      lonshibacc.pm is skipped.
    - &alias_shibboleth() routine in lonnet.pm renamed alias_sso().
  
  
-------------- next part --------------
Index: loncom/auth/lonshibauth.pm
diff -u loncom/auth/lonshibauth.pm:1.12 loncom/auth/lonshibauth.pm:1.13
--- loncom/auth/lonshibauth.pm:1.12	Wed Nov  3 01:04:02 2021
+++ loncom/auth/lonshibauth.pm	Mon Dec  6 03:31:54 2021
@@ -1,7 +1,8 @@
 # The LearningOnline Network
-# Redirect Shibboleth authentication to designated URL (/adm/sso).
+# Redirect Single Sign On authentication to designated URL: 
+# /adm/sso, by default.
 #
-# $Id: lonshibauth.pm,v 1.12 2021/11/03 01:04:02 raeburn Exp $
+# $Id: lonshibauth.pm,v 1.13 2021/12/06 03:31:54 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -28,14 +29,15 @@
 
 =head1 NAME
 
-Apache::lonshibauth - Redirect Shibboleth authentication
+Apache::lonshibauth - Redirect Single Sign On authentication
 
 =head1 SYNOPSIS
 
-Invoked when lonOtherAuthen is set to yes, and type is Shibboleth 
+Invoked when an Apache config file includes:
+PerlAuthenHandler Apache::lonshibauth
 
 If server is configured as a Shibboleth SP, the main Apache 
-configuration file, e.g.,  /etc/httpd/conf/httpd.conf
+configuration file, e.g., /etc/httpd/conf/httpd.conf
 (for RHEL/CentOS/Scentific Linux/Fedora) should contain:
 
 LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so
@@ -43,10 +45,99 @@
 or equivalent (depending on Apache version) 
 before the line to include conf/loncapa_apache.conf
 
+If some other Apache module is in use for Single Sign On
+authentication e.g., mod_auth_cas or mod_sentinel,
+then a separate config file should be created which
+includes settings for the authentication module.
+ 
 =head1 INTRODUCTION
 
-Redirects a user requiring Single Sign On via Shibboleth to a  
-URL -- /adm/sso -- on the server which is configured to use that service.
+Redirects a user requiring Single Sign On to a URL on the server  
+which is configured to use that service. The default URL is:
+/adm/sso. 
+
+If this is to be used with a Single Sign On service other Shibboleth
+then an Apache config file needs to be loaded which: 
+
+(a) loads the corresponding Apache module, and 
+(b) sets appropriate values for perl vars in 
+an <IfModule mod_***></IfModule> block, and
+(c) sets an appropriate value for AuthType in a
+<Location /adm/sso><IfModule mod_***>
+</IfModule></Location> block, which also contains
+
+require valid-user
+
+PerlAuthzHandler       Apache::lonshibacc
+
+PerlAuthzHandler       Apache::lonacc 
+
+In the case of Shibboleth no additional file is needed
+because loncapa_apache.conf already contains:
+
+<IfModule mod_shib>
+    PerlAuthenHandler Apache::lonshibauth
+    PerlSetVar lonOtherAuthen yes
+    PerlSetVar lonOtherAuthenType Shibboleth
+
+</IfModule>
+
+and
+
+<Location /adm/sso>
+  Header set Cache-Control "private,no-store,no-cache,max-age=0"
+  <IfModule mod_shib>
+    AuthType shibboleth
+    ShibUseEnvironment On
+    ShibRequestSetting requireSession 1
+    ShibRequestSetting redirectToSSL 443
+    require valid-user
+    PerlAuthzHandler       Apache::lonshibacc
+    PerlAuthzHandler       Apache::lonacc
+    ErrorDocument     403 /adm/login
+    ErrorDocument     500 /adm/errorhandler
+  </IfModule>
+  <IfModule !mod_shib>
+    PerlTypeHandler        Apache::lonnoshib
+  </IfModule>
+
+</Location>
+
+If the service is not Shibboleth, then (optionally) a URL that is 
+not /adm/sso can be used as the URL for the service, e.g., /adm/cas
+or /adm/sentinel, by setting a lonOtherAuthenUrl perl var
+in an Apache config file containing (for example):
+
+PerlSetVar lonOtherAuthenUrl /adm/sentinel
+
+<IfModule mod_sentinel>
+    PerlAuthenHandler Apache::lonshibauth
+    PerlSetVar lonOtherAuthen yes
+    PerlSetVar lonOtherAuthenType Sentinel
+
+</IfModule>
+
+<Location /adm/sentinel>
+  Header set Cache-Control "private,no-store,no-cache,max-age=0"
+  <IfModule mod_sentinel>
+    AuthType Sentinel
+    require valid-user
+    PerlAuthzHandler  Apache::lonshibacc
+    PerlAuthzHandler  Apache::lonacc
+    ErrorDocument     403 /adm/login
+    ErrorDocument     500 /adm/errorhandler
+  </IfModule>
+  <IfModule !mod_sentinel>
+    PerlTypeHandler        Apache::lonnoshib
+  </IfModule>
+
+</Location>
+
+In the example above for Sentinel SSO, it would also be possible to 
+use /adm/sso instead of /adm/sentinel, in which case (i) there would be 
+no need to define lonOtherAuthenUrl, (ii) there would be <Location /adm/sso> 
+and (iii) the <IfModule !></IfModule> block would not be needed as 
+it is already present in /etc/httpd/conf/loncapa_apache.conf.
 
 =head1 HANDLER SUBROUTINE
 
@@ -54,10 +145,62 @@
 
 =over 4
 
-If $r->user defined and requested uri not /adm/sso
-redirect to /adm/sso
+If $r->user is defined and requested URL is not /adm/sso or
+other specific URL as set by a lonOtherAuthenUrl perlvar,
+then redirect to /adm/sso (or to the specific URL).
+
+Otherwise return DECLINED.
+
+In the case of redirection a query string is appended,
+which will contain either (a) the originally requested URL,
+if not /adm/sso (or lonOtherAuthenUrl URL), and 
+any existing query string in the original request, or
+(b) if original request was for /tiny/domain/uniqueID,
+or if redirect is to /adm/login to support dual SSO and
+non-SSO, a query string which contains sso=tokenID, where the
+token contains information for deep-linking to course/resource. 
+
+Support is included for use of LON-CAPA's standard log-in
+page -- /adm/login -- to support dual SSO and non-SSO 
+authentication from that "landing" page.
+
+To enable dual SSO and non-SSO access from /adm/login
+a Domain Coordinator will use the web GUI:
+Main Menu > Set domain configuration > Display
+("Log-in page options" checked) 
+and for any of the LON-CAPA domain's servers which
+will offer dual login will check "Yes" and then set:
+(a) SSO Text, Image, Alt Text, URL, Tool Tip
+(b) non-SSO: Text
+
+The value in the URL field should be /adm/sso,
+or the same URL as set for the lonOtherAuthenUrl
+perl var, e.g., /adm/sentinel.
 
-Otherwise return DECLINED
+=back
+
+=head1 NOTABLE SUBROUTINES
+
+=over 4
+
+=item set_token()
+
+Inputs: 2
+$r - request object
+$lonhost - hostID of current server
+
+Output: 1
+$querystring - query string to append to URL
+when redirecting.
+
+If any of the following items are present in the original query string:
+role, symb, and linkkey, then they will be stored in the token file
+on the server, for access later to support deep-linking.  If the ltoken
+item is available, from successful launch from an LTI Consumer where
+LON-CAPA is the LTI Provider, but not configured to accept user 
+information, and the destination is a deep-link URL /tiny/domain/uniqueiD,
+then the LTI number, type (c or d), and tiny URL will be saved as the
+linkprot item in a token file.
 
 =back
 
@@ -75,11 +218,15 @@
 
 sub handler {
     my $r = shift;
-    my $target = '/adm/sso';
+    my $ssourl = '/adm/sso';
+    if ($r->dir_config('lonOtherAuthenUrl') ne '') {
+        $ssourl = $r->dir_config('lonOtherAuthenUrl');
+    }
+    my $target = $ssourl;
     if (&Apache::lonnet::get_saml_landing()) {
         $target = '/adm/login';
     }
-    if (($r->user eq '') && ($r->uri ne $target) && ($r->uri ne '/adm/sso')) {
+    if (($r->user eq '') && ($r->uri ne $target) && ($r->uri ne $ssourl)) {
         my $lonhost = $Apache::lonnet::perlvar{'lonHostID'};
         my $hostname = &Apache::lonnet::hostname($lonhost);
         if (!$hostname) { $hostname = $r->hostname(); }
Index: loncom/auth/lonshibacc.pm
diff -u loncom/auth/lonshibacc.pm:1.2 loncom/auth/lonshibacc.pm:1.3
--- loncom/auth/lonshibacc.pm:1.2	Fri Jan 23 15:57:27 2015
+++ loncom/auth/lonshibacc.pm	Mon Dec  6 03:31:54 2021
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Authorization handler for Shibboleth authenticated users
 #
-# $Id: lonshibacc.pm,v 1.2 2015/01/23 15:57:27 raeburn Exp $
+# $Id: lonshibacc.pm,v 1.3 2021/12/06 03:31:54 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -28,7 +28,8 @@
 
 =head1 NAME
 
-Apache::lonshibacc - Authorization handler if Shibboleth-authenticated
+Apache::lonshibacc - Initial Authorization handler for
+SSO-authenticated users.
 
 =head1 SYNOPSIS
 
@@ -42,8 +43,18 @@
 Authorization handler used to remove trailing @internet dom
 from Shibboleth authenticated username (e.g., @mit.edu).
 
-After making change to $r->user, will return DECLINE so
-lonacc.pm can be invoked as the next authorization handler.
+Authorization handler used to:
+
+(a) remove trailing @internet dom from Shibboleth 
+authenticated username (e.g., @mit.edu),
+unless lonSSOEmailOK perl var is set to 1, and/or
+
+(b) set URI for authenticated user to /adm/sso, if
+lonOtherAuthenUrl is set.
+
+After making changes to $r->user and/or $r->uri, DECLINED is
+returned so lonacc.pm can be invoked as the next authorization
+handler via:
 
 PerlAuthzHandler       Apache::lonacc
 
@@ -74,9 +85,15 @@
             my $uint_dom = &Apache::lonnet::internet_dom($uprimary_id);
             if ($user =~ /^(\w[a-zA-Z0-9_\-.]+)\@\Q$uint_dom\E$/i) {
                 my $username = $1;
-                $user = $r->user($username);
+                unless ($r->dir_config('lonSSOEmailOK') == 1) {
+                    $user = $r->user($username);
+                }
             }
         }
+        if (($r->dir_config('lonOtherAuthenUrl') ne '') &&
+            ($r->uri eq $r->dir_config('lonOtherAuthenUrl'))) {
+            $r->uri('/adm/sso');
+        }
     }
     return DECLINED;
 }
Index: loncom/lontrans.pm
diff -u loncom/lontrans.pm:1.37 loncom/lontrans.pm:1.38
--- loncom/lontrans.pm:1.37	Wed Nov  3 01:04:03 2021
+++ loncom/lontrans.pm	Mon Dec  6 03:31:54 2021
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # URL translation for User Files
 #
-# $Id: lontrans.pm,v 1.37 2021/11/03 01:04:03 raeburn Exp $
+# $Id: lontrans.pm,v 1.38 2021/12/06 03:31:54 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -57,6 +57,10 @@
     if ($alias) {
         my $lonhost = $r->dir_config('lonHostID');
         my $hostname = &Apache::lonnet::hostname($lonhost);
+        my $ssourl = '/adm/sso';
+        if ($r->dir_config('lonOtherAuthenUrl') ne '') {
+            $ssourl = $r->dir_config('lonOtherAuthenUrl');
+        }
         if (($hdrhost eq $alias) || ($hdrhost eq $hostname)) {
             my $proxyinfo = &Apache::lonnet::get_proxy_settings($r->dir_config('lonDefDomain'));
             my ($vpnint,$vpnext);
@@ -71,8 +75,8 @@
                     ($r->uri !~ m{^/adm/(lti|launch)/})) {
                     $redirect = $hostname;
                 }
-                if ($r->uri eq '/adm/sso') {
-                    if (&Apache::lonnet::alias_shibboleth($lonhost)) {
+                if ($r->uri eq $ssourl) {
+                    if (&Apache::lonnet::alias_sso($lonhost)) {
                         undef($redirect);
                     } else {
                         $redirect = $hostname;
@@ -93,8 +97,8 @@
                         if (exists($iphost{$remote_ip})) {
                             undef($redirect);
                         }
-                    } elsif ($r->uri eq '/adm/sso') {
-                        unless (&Apache::lonnet::alias_shibboleth($lonhost)) {
+                    } elsif ($r->uri eq $ssourl) {
+                        unless (&Apache::lonnet::alias_sso($lonhost)) {
                             undef($redirect);
                         }
                     }
@@ -105,7 +109,7 @@
                 if (($uri eq '/adm/switchserver') || ($uri =~ m{^/Shibboleth.sso/})) {
                     return DECLINED;
                 }
-                unless (($uri eq '/adm/migrateuser') || ($uri eq '/adm/sso')) {
+                unless (($uri eq '/adm/migrateuser') || ($uri eq $ssourl)) {
                     my %user;
                     my $handle = &Apache::lonnet::check_for_valid_session($r,undef,\%user);
                     if (($handle) && ($user{'name'} ne '') && ($user{'domain'} ne '')) {
Index: loncom/interface/domainprefs.pm
diff -u loncom/interface/domainprefs.pm:1.395 loncom/interface/domainprefs.pm:1.396
--- loncom/interface/domainprefs.pm:1.395	Tue Nov 30 14:12:02 2021
+++ loncom/interface/domainprefs.pm	Mon Dec  6 03:31:54 2021
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Handler to set domain-wide configuration settings
 #
-# $Id: domainprefs.pm,v 1.395 2021/11/30 14:12:02 raeburn Exp $
+# $Id: domainprefs.pm,v 1.396 2021/12/06 03:31:54 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -7934,7 +7934,7 @@
                 if ($current) {
                     $aliasrows .= $current;
                     if ($forsaml) {
-                         $aliasrows .= ' ('.&mt('also for Shibboleth').')';
+                         $aliasrows .= ' ('.&mt('also for SSO Auth').')';
                     }
                 } else {
                     $aliasrows .= &mt('None');
@@ -7962,7 +7962,7 @@
                               '<input type="text" name="wafproxy_alias_'.$server.'" '.
                               'value="'.$current.'" size="30" />'.
                               (' 'x2).'<span class="LC_nobreak">'.
-                              &mt('Alias used for Shibboleth').': <label>'.
+                              &mt('Alias used for SSO Auth').': <label>'.
                               '<input type="radio" value="0"'.$samloff.' name="wafproxy_alias_saml_'.$server.'" />'.
                               &mt('No').'</label> <label>'. 
                               '<input type="radio" value="1"'.$samlon.' name="wafproxy_alias_saml_'.$server.'" />'.
@@ -21186,10 +21186,10 @@
                             }
                         }
                         if ($shown) {
-                            $output .= '<li>'.&mt('Alias used by Shibboleth for: [_1]',
+                            $output .= '<li>'.&mt('Alias used by SSO Auth for: [_1]',
                                                   $shown).'</li>';
                         } else {
-                            $output .= '<li>'.&mt('No alias used for Shibboleth').'</li>';
+                            $output .= '<li>'.&mt('No alias used for SSO Auth').'</li>';
                         }
                     } else {
                         if ($item eq 'remoteip') {
Index: loncom/lonnet/perl/lonnet.pm
diff -u loncom/lonnet/perl/lonnet.pm:1.1473 loncom/lonnet/perl/lonnet.pm:1.1474
--- loncom/lonnet/perl/lonnet.pm:1.1473	Tue Nov 30 15:55:40 2021
+++ loncom/lonnet/perl/lonnet.pm	Mon Dec  6 03:31:55 2021
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # TCP networking package
 #
-# $Id: lonnet.pm,v 1.1473 2021/11/30 15:55:40 raeburn Exp $
+# $Id: lonnet.pm,v 1.1474 2021/12/06 03:31:55 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -14656,7 +14656,7 @@
     return;
 }
 
-sub alias_shibboleth {
+sub alias_sso {
     my ($lonid) = @_;
     if ($lonid eq '') {
         $lonid = $perlvar{'lonHostID'};


More information about the LON-CAPA-cvs mailing list