[LON-CAPA-cvs] cvs: loncom / lontrans.pm /auth lonshibacc.pm lonshibauth.pm /interface domainprefs.pm /lonnet/perl lonnet.pm
raeburn
raeburn at source.lon-capa.org
Sun Dec 5 22:31:55 EST 2021
raeburn Mon Dec 6 03:31:55 2021 EDT
Modified files:
/loncom/auth lonshibauth.pm lonshibacc.pm
/loncom lontrans.pm
/loncom/interface domainprefs.pm
/loncom/lonnet/perl lonnet.pm
Log:
- Dual SSO and non-SSO login from /adm/login for use with additional SSO
mechanisms besides Shibboleth.
- Default is to use /adm/sso for "authentication" URL.
- Different authentication URL can be set with lonOtherAuthenUrl perlvar.
- Update documentation for lonshibauth.pm and lonshibacc.pm
- Wording change for WAF/Proxy domain configuration
- If Apache config contains lonSSOEmailOK set to 1, default removal
of @ "internet domain" from username for SSO authenticated users in
lonshibacc.pm is skipped.
- &alias_shibboleth() routine in lonnet.pm renamed alias_sso().
-------------- next part --------------
Index: loncom/auth/lonshibauth.pm
diff -u loncom/auth/lonshibauth.pm:1.12 loncom/auth/lonshibauth.pm:1.13
--- loncom/auth/lonshibauth.pm:1.12 Wed Nov 3 01:04:02 2021
+++ loncom/auth/lonshibauth.pm Mon Dec 6 03:31:54 2021
@@ -1,7 +1,8 @@
# The LearningOnline Network
-# Redirect Shibboleth authentication to designated URL (/adm/sso).
+# Redirect Single Sign On authentication to designated URL:
+# /adm/sso, by default.
#
-# $Id: lonshibauth.pm,v 1.12 2021/11/03 01:04:02 raeburn Exp $
+# $Id: lonshibauth.pm,v 1.13 2021/12/06 03:31:54 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -28,14 +29,15 @@
=head1 NAME
-Apache::lonshibauth - Redirect Shibboleth authentication
+Apache::lonshibauth - Redirect Single Sign On authentication
=head1 SYNOPSIS
-Invoked when lonOtherAuthen is set to yes, and type is Shibboleth
+Invoked when an Apache config file includes:
+PerlAuthenHandler Apache::lonshibauth
If server is configured as a Shibboleth SP, the main Apache
-configuration file, e.g., /etc/httpd/conf/httpd.conf
+configuration file, e.g., /etc/httpd/conf/httpd.conf
(for RHEL/CentOS/Scentific Linux/Fedora) should contain:
LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so
@@ -43,10 +45,99 @@
or equivalent (depending on Apache version)
before the line to include conf/loncapa_apache.conf
+If some other Apache module is in use for Single Sign On
+authentication e.g., mod_auth_cas or mod_sentinel,
+then a separate config file should be created which
+includes settings for the authentication module.
+
=head1 INTRODUCTION
-Redirects a user requiring Single Sign On via Shibboleth to a
-URL -- /adm/sso -- on the server which is configured to use that service.
+Redirects a user requiring Single Sign On to a URL on the server
+which is configured to use that service. The default URL is:
+/adm/sso.
+
+If this is to be used with a Single Sign On service other Shibboleth
+then an Apache config file needs to be loaded which:
+
+(a) loads the corresponding Apache module, and
+(b) sets appropriate values for perl vars in
+an <IfModule mod_***></IfModule> block, and
+(c) sets an appropriate value for AuthType in a
+<Location /adm/sso><IfModule mod_***>
+</IfModule></Location> block, which also contains
+
+require valid-user
+
+PerlAuthzHandler Apache::lonshibacc
+
+PerlAuthzHandler Apache::lonacc
+
+In the case of Shibboleth no additional file is needed
+because loncapa_apache.conf already contains:
+
+<IfModule mod_shib>
+ PerlAuthenHandler Apache::lonshibauth
+ PerlSetVar lonOtherAuthen yes
+ PerlSetVar lonOtherAuthenType Shibboleth
+
+</IfModule>
+
+and
+
+<Location /adm/sso>
+ Header set Cache-Control "private,no-store,no-cache,max-age=0"
+ <IfModule mod_shib>
+ AuthType shibboleth
+ ShibUseEnvironment On
+ ShibRequestSetting requireSession 1
+ ShibRequestSetting redirectToSSL 443
+ require valid-user
+ PerlAuthzHandler Apache::lonshibacc
+ PerlAuthzHandler Apache::lonacc
+ ErrorDocument 403 /adm/login
+ ErrorDocument 500 /adm/errorhandler
+ </IfModule>
+ <IfModule !mod_shib>
+ PerlTypeHandler Apache::lonnoshib
+ </IfModule>
+
+</Location>
+
+If the service is not Shibboleth, then (optionally) a URL that is
+not /adm/sso can be used as the URL for the service, e.g., /adm/cas
+or /adm/sentinel, by setting a lonOtherAuthenUrl perl var
+in an Apache config file containing (for example):
+
+PerlSetVar lonOtherAuthenUrl /adm/sentinel
+
+<IfModule mod_sentinel>
+ PerlAuthenHandler Apache::lonshibauth
+ PerlSetVar lonOtherAuthen yes
+ PerlSetVar lonOtherAuthenType Sentinel
+
+</IfModule>
+
+<Location /adm/sentinel>
+ Header set Cache-Control "private,no-store,no-cache,max-age=0"
+ <IfModule mod_sentinel>
+ AuthType Sentinel
+ require valid-user
+ PerlAuthzHandler Apache::lonshibacc
+ PerlAuthzHandler Apache::lonacc
+ ErrorDocument 403 /adm/login
+ ErrorDocument 500 /adm/errorhandler
+ </IfModule>
+ <IfModule !mod_sentinel>
+ PerlTypeHandler Apache::lonnoshib
+ </IfModule>
+
+</Location>
+
+In the example above for Sentinel SSO, it would also be possible to
+use /adm/sso instead of /adm/sentinel, in which case (i) there would be
+no need to define lonOtherAuthenUrl, (ii) there would be <Location /adm/sso>
+and (iii) the <IfModule !></IfModule> block would not be needed as
+it is already present in /etc/httpd/conf/loncapa_apache.conf.
=head1 HANDLER SUBROUTINE
@@ -54,10 +145,62 @@
=over 4
-If $r->user defined and requested uri not /adm/sso
-redirect to /adm/sso
+If $r->user is defined and requested URL is not /adm/sso or
+other specific URL as set by a lonOtherAuthenUrl perlvar,
+then redirect to /adm/sso (or to the specific URL).
+
+Otherwise return DECLINED.
+
+In the case of redirection a query string is appended,
+which will contain either (a) the originally requested URL,
+if not /adm/sso (or lonOtherAuthenUrl URL), and
+any existing query string in the original request, or
+(b) if original request was for /tiny/domain/uniqueID,
+or if redirect is to /adm/login to support dual SSO and
+non-SSO, a query string which contains sso=tokenID, where the
+token contains information for deep-linking to course/resource.
+
+Support is included for use of LON-CAPA's standard log-in
+page -- /adm/login -- to support dual SSO and non-SSO
+authentication from that "landing" page.
+
+To enable dual SSO and non-SSO access from /adm/login
+a Domain Coordinator will use the web GUI:
+Main Menu > Set domain configuration > Display
+("Log-in page options" checked)
+and for any of the LON-CAPA domain's servers which
+will offer dual login will check "Yes" and then set:
+(a) SSO Text, Image, Alt Text, URL, Tool Tip
+(b) non-SSO: Text
+
+The value in the URL field should be /adm/sso,
+or the same URL as set for the lonOtherAuthenUrl
+perl var, e.g., /adm/sentinel.
-Otherwise return DECLINED
+=back
+
+=head1 NOTABLE SUBROUTINES
+
+=over 4
+
+=item set_token()
+
+Inputs: 2
+$r - request object
+$lonhost - hostID of current server
+
+Output: 1
+$querystring - query string to append to URL
+when redirecting.
+
+If any of the following items are present in the original query string:
+role, symb, and linkkey, then they will be stored in the token file
+on the server, for access later to support deep-linking. If the ltoken
+item is available, from successful launch from an LTI Consumer where
+LON-CAPA is the LTI Provider, but not configured to accept user
+information, and the destination is a deep-link URL /tiny/domain/uniqueiD,
+then the LTI number, type (c or d), and tiny URL will be saved as the
+linkprot item in a token file.
=back
@@ -75,11 +218,15 @@
sub handler {
my $r = shift;
- my $target = '/adm/sso';
+ my $ssourl = '/adm/sso';
+ if ($r->dir_config('lonOtherAuthenUrl') ne '') {
+ $ssourl = $r->dir_config('lonOtherAuthenUrl');
+ }
+ my $target = $ssourl;
if (&Apache::lonnet::get_saml_landing()) {
$target = '/adm/login';
}
- if (($r->user eq '') && ($r->uri ne $target) && ($r->uri ne '/adm/sso')) {
+ if (($r->user eq '') && ($r->uri ne $target) && ($r->uri ne $ssourl)) {
my $lonhost = $Apache::lonnet::perlvar{'lonHostID'};
my $hostname = &Apache::lonnet::hostname($lonhost);
if (!$hostname) { $hostname = $r->hostname(); }
Index: loncom/auth/lonshibacc.pm
diff -u loncom/auth/lonshibacc.pm:1.2 loncom/auth/lonshibacc.pm:1.3
--- loncom/auth/lonshibacc.pm:1.2 Fri Jan 23 15:57:27 2015
+++ loncom/auth/lonshibacc.pm Mon Dec 6 03:31:54 2021
@@ -1,7 +1,7 @@
# The LearningOnline Network
# Authorization handler for Shibboleth authenticated users
#
-# $Id: lonshibacc.pm,v 1.2 2015/01/23 15:57:27 raeburn Exp $
+# $Id: lonshibacc.pm,v 1.3 2021/12/06 03:31:54 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -28,7 +28,8 @@
=head1 NAME
-Apache::lonshibacc - Authorization handler if Shibboleth-authenticated
+Apache::lonshibacc - Initial Authorization handler for
+SSO-authenticated users.
=head1 SYNOPSIS
@@ -42,8 +43,18 @@
Authorization handler used to remove trailing @internet dom
from Shibboleth authenticated username (e.g., @mit.edu).
-After making change to $r->user, will return DECLINE so
-lonacc.pm can be invoked as the next authorization handler.
+Authorization handler used to:
+
+(a) remove trailing @internet dom from Shibboleth
+authenticated username (e.g., @mit.edu),
+unless lonSSOEmailOK perl var is set to 1, and/or
+
+(b) set URI for authenticated user to /adm/sso, if
+lonOtherAuthenUrl is set.
+
+After making changes to $r->user and/or $r->uri, DECLINED is
+returned so lonacc.pm can be invoked as the next authorization
+handler via:
PerlAuthzHandler Apache::lonacc
@@ -74,9 +85,15 @@
my $uint_dom = &Apache::lonnet::internet_dom($uprimary_id);
if ($user =~ /^(\w[a-zA-Z0-9_\-.]+)\@\Q$uint_dom\E$/i) {
my $username = $1;
- $user = $r->user($username);
+ unless ($r->dir_config('lonSSOEmailOK') == 1) {
+ $user = $r->user($username);
+ }
}
}
+ if (($r->dir_config('lonOtherAuthenUrl') ne '') &&
+ ($r->uri eq $r->dir_config('lonOtherAuthenUrl'))) {
+ $r->uri('/adm/sso');
+ }
}
return DECLINED;
}
Index: loncom/lontrans.pm
diff -u loncom/lontrans.pm:1.37 loncom/lontrans.pm:1.38
--- loncom/lontrans.pm:1.37 Wed Nov 3 01:04:03 2021
+++ loncom/lontrans.pm Mon Dec 6 03:31:54 2021
@@ -1,7 +1,7 @@
# The LearningOnline Network
# URL translation for User Files
#
-# $Id: lontrans.pm,v 1.37 2021/11/03 01:04:03 raeburn Exp $
+# $Id: lontrans.pm,v 1.38 2021/12/06 03:31:54 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -57,6 +57,10 @@
if ($alias) {
my $lonhost = $r->dir_config('lonHostID');
my $hostname = &Apache::lonnet::hostname($lonhost);
+ my $ssourl = '/adm/sso';
+ if ($r->dir_config('lonOtherAuthenUrl') ne '') {
+ $ssourl = $r->dir_config('lonOtherAuthenUrl');
+ }
if (($hdrhost eq $alias) || ($hdrhost eq $hostname)) {
my $proxyinfo = &Apache::lonnet::get_proxy_settings($r->dir_config('lonDefDomain'));
my ($vpnint,$vpnext);
@@ -71,8 +75,8 @@
($r->uri !~ m{^/adm/(lti|launch)/})) {
$redirect = $hostname;
}
- if ($r->uri eq '/adm/sso') {
- if (&Apache::lonnet::alias_shibboleth($lonhost)) {
+ if ($r->uri eq $ssourl) {
+ if (&Apache::lonnet::alias_sso($lonhost)) {
undef($redirect);
} else {
$redirect = $hostname;
@@ -93,8 +97,8 @@
if (exists($iphost{$remote_ip})) {
undef($redirect);
}
- } elsif ($r->uri eq '/adm/sso') {
- unless (&Apache::lonnet::alias_shibboleth($lonhost)) {
+ } elsif ($r->uri eq $ssourl) {
+ unless (&Apache::lonnet::alias_sso($lonhost)) {
undef($redirect);
}
}
@@ -105,7 +109,7 @@
if (($uri eq '/adm/switchserver') || ($uri =~ m{^/Shibboleth.sso/})) {
return DECLINED;
}
- unless (($uri eq '/adm/migrateuser') || ($uri eq '/adm/sso')) {
+ unless (($uri eq '/adm/migrateuser') || ($uri eq $ssourl)) {
my %user;
my $handle = &Apache::lonnet::check_for_valid_session($r,undef,\%user);
if (($handle) && ($user{'name'} ne '') && ($user{'domain'} ne '')) {
Index: loncom/interface/domainprefs.pm
diff -u loncom/interface/domainprefs.pm:1.395 loncom/interface/domainprefs.pm:1.396
--- loncom/interface/domainprefs.pm:1.395 Tue Nov 30 14:12:02 2021
+++ loncom/interface/domainprefs.pm Mon Dec 6 03:31:54 2021
@@ -1,7 +1,7 @@
# The LearningOnline Network with CAPA
# Handler to set domain-wide configuration settings
#
-# $Id: domainprefs.pm,v 1.395 2021/11/30 14:12:02 raeburn Exp $
+# $Id: domainprefs.pm,v 1.396 2021/12/06 03:31:54 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -7934,7 +7934,7 @@
if ($current) {
$aliasrows .= $current;
if ($forsaml) {
- $aliasrows .= ' ('.&mt('also for Shibboleth').')';
+ $aliasrows .= ' ('.&mt('also for SSO Auth').')';
}
} else {
$aliasrows .= &mt('None');
@@ -7962,7 +7962,7 @@
'<input type="text" name="wafproxy_alias_'.$server.'" '.
'value="'.$current.'" size="30" />'.
(' 'x2).'<span class="LC_nobreak">'.
- &mt('Alias used for Shibboleth').': <label>'.
+ &mt('Alias used for SSO Auth').': <label>'.
'<input type="radio" value="0"'.$samloff.' name="wafproxy_alias_saml_'.$server.'" />'.
&mt('No').'</label> <label>'.
'<input type="radio" value="1"'.$samlon.' name="wafproxy_alias_saml_'.$server.'" />'.
@@ -21186,10 +21186,10 @@
}
}
if ($shown) {
- $output .= '<li>'.&mt('Alias used by Shibboleth for: [_1]',
+ $output .= '<li>'.&mt('Alias used by SSO Auth for: [_1]',
$shown).'</li>';
} else {
- $output .= '<li>'.&mt('No alias used for Shibboleth').'</li>';
+ $output .= '<li>'.&mt('No alias used for SSO Auth').'</li>';
}
} else {
if ($item eq 'remoteip') {
Index: loncom/lonnet/perl/lonnet.pm
diff -u loncom/lonnet/perl/lonnet.pm:1.1473 loncom/lonnet/perl/lonnet.pm:1.1474
--- loncom/lonnet/perl/lonnet.pm:1.1473 Tue Nov 30 15:55:40 2021
+++ loncom/lonnet/perl/lonnet.pm Mon Dec 6 03:31:55 2021
@@ -1,7 +1,7 @@
# The LearningOnline Network
# TCP networking package
#
-# $Id: lonnet.pm,v 1.1473 2021/11/30 15:55:40 raeburn Exp $
+# $Id: lonnet.pm,v 1.1474 2021/12/06 03:31:55 raeburn Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -14656,7 +14656,7 @@
return;
}
-sub alias_shibboleth {
+sub alias_sso {
my ($lonid) = @_;
if ($lonid eq '') {
$lonid = $perlvar{'lonHostID'};
More information about the LON-CAPA-cvs
mailing list