[LON-CAPA-cvs] cvs: loncom /html/adm/help/tex Institutional_Integration_Shibboleth.tex

raeburn raeburn at source.lon-capa.org
Mon Dec 6 16:12:06 EST 2021

raeburn		Mon Dec  6 21:12:06 2021 EDT

  Modified files:              
    /loncom/html/adm/help/tex	Institutional_Integration_Shibboleth.tex 
  - Update documentation for use of a LON-CAPA node as a Shibboleth SP.
Index: loncom/html/adm/help/tex/Institutional_Integration_Shibboleth.tex
diff -u loncom/html/adm/help/tex/Institutional_Integration_Shibboleth.tex:1.4 loncom/html/adm/help/tex/Institutional_Integration_Shibboleth.tex:1.5
--- loncom/html/adm/help/tex/Institutional_Integration_Shibboleth.tex:1.4	Thu Mar 26 22:15:20 2015
+++ loncom/html/adm/help/tex/Institutional_Integration_Shibboleth.tex	Mon Dec  6 21:12:06 2021
@@ -16,11 +16,9 @@
 Although Shibboleth can be built on any 32 or 64 bit Linux distro on which LON-CAPA is supported,
-official packages are available from http://shibboleth.net for: Red Hat/CentOS 5, 6 and 7,
-SLES 10 and 11, and openSuSE 12.1, 12.2, and 12.3.
-In addition, http://www.switch.ch provides a repository from which shibboleth packages
-may be obtained for Ubuntu 12.04 LTS and 14.04 LTS.
+official packages are available via http://shibboleth.net for: Red Hat/CentOS 5, 6, 7, and 8,
+and SLES 11, and 12. For SLES 12 and 15 shibboleth is available from suse.com, and for Ubuntu, 
+Shibboleth packages are available from standard repos for Ubuntu 14.04, 16.04, 18.04 and 20.04.
@@ -29,38 +27,33 @@
-Shibboleth repos for RPM-based Linux distros can be found at:
+For Red Hat/CentOS the text to include in a shibboleth.repo file to be placed in
+/etc/yum.repos.d can be generated at:
-Red Hat/CentOS -- add shibboleth.repo to /etc/yum.repos.d
-e.g., CentOS 5
+e.g., CentOS 6
-name=Shibboleth (CentOS_5)
+name=Shibboleth (CentOS_CentOS-6)
+        https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key
-e.g., CentOS 6
+e.g., CentOS 7
-name=Shibboleth (CentOS_6)
+name=Shibboleth (CentOS_7)
+        https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key
@@ -69,7 +62,7 @@
 yum install shibboleth
 e.g. SLES 11 SP3:
@@ -80,26 +73,23 @@
 zypper install shibboleth
-e.g. SuSE 12.3
+e.g. SLES 12 SP5
-zypper addrepo http://download.opensuse.org/repositories/security:shibboleth/
-zypper refresh
-zypper install shibboleth
+SUSEConnect -p SLES/12.5/x86_64 -r <registration-code>
+zypper install shibboleth-sp-2.5.5-6.6.1
-e.g., Ubuntu 12.04LTS
+e.g., SLES 15 SP4
+SUSEConnect -p sle-module-server-applications/15.4/x86_64
+zypper install shibboleth-sp-3.1.0-3.3.1
-See: https://www.switch.ch/aai/docs/shibboleth/SWITCH/2.5/sp/deployment/?os=ubuntu
+e.g., Ubuntu 20.04LTS
-sudo apt-get install curl
-sudo curl -k -O http://pkg.switch.ch/switchaai/SWITCHaai-swdistrib.asc
-sudo apt-key add SWITCHaai-swdistrib.asc
-echo 'deb http://pkg.switch.ch/switchaai/ubuntu precise main' | 
-sudo tee /etc/apt/sources.list.d/SWITCHaai-swdistrib.list $>$ /dev/null
-sudo apt-get update
-sudo apt-get install shibboleth
+sudo apt install --install-recommends shibboleth
 The following directories will have now been created:
@@ -247,7 +237,26 @@
 If the attribute used for REMOTE\_USER is in the form: username at somewhere.edu, and somewhere.edu is
 the ``internet domain'' (i.e., the last item in the colon separated list of entries for your server
 in /home/httpd/lonTabs/hosts.tab), then LON-CAPA will automatically remove the @somewhere.edu, such
-that \$r-$>$user will be just username.
+that \$r-$>$user will be just username, unless the value of the PerlVar lonSSOEmailOK is 1. 
+By default, with mod_shib installed and configured, and shibd running, then entries in LON-CAPA's
+Apache config file: loncapa_apache.conf will result in display of an authentication 
+prompt when a user without a current LON-CAPA session accesses /adm/roles.  If it is preferred
+to display /adm/login configured to offer dual SSO log-in (Shibboleth), and non-SSO login
+(LON-CAPA), set this using the Domain Configuration available to a Domain Coordinator via the web GUI:
+Main Menu $>$ Set domain configuration $>$ Display ("Log-in page options" checked).
+For any of the LON-CAPA domain's servers which will offer dual login check "Yes" and then set:
+\item SSO: Text, Image, Alt Text, URL, Tool Tip
+\item non-SSO: Text
+The value in the URL field should be /adm/sso, and the image will be for a button to be clicked
+to load /adm/sso to prompt for Shibboleth authentication. The alt and title attributes for the
+button can also be set. Above the button there will be the text: "Log-in type: " followed by
+the text entered in the SSO configuration for ``Text''. Below that will be a ``Change'' link
+used to toggle between SSO and non-SSO log-in panels. 
 \item Add a custom Apache config file to include some PerlVars (for logout etc.)

More information about the LON-CAPA-cvs mailing list