[LON-CAPA-cvs] cvs: loncom /html/adm/help/tex Domain_Configuration_Login_Page.tex

raeburn raeburn at source.lon-capa.org
Wed Dec 8 09:45:01 EST 2021 

raeburn		Wed Dec  8 14:45:01 2021 EDT

  Modified files:              
    /loncom/html/adm/help/tex	Domain_Configuration_Login_Page.tex 
  Log:
  - Update log-in page documentation, e.g., dual login (SSO + non-SSO options)
  
  
Index: loncom/html/adm/help/tex/Domain_Configuration_Login_Page.tex
diff -u loncom/html/adm/help/tex/Domain_Configuration_Login_Page.tex:1.9 loncom/html/adm/help/tex/Domain_Configuration_Login_Page.tex:1.10
--- loncom/html/adm/help/tex/Domain_Configuration_Login_Page.tex:1.9	Thu Mar 30 02:09:17 2017
+++ loncom/html/adm/help/tex/Domain_Configuration_Login_Page.tex	Wed Dec  8 14:45:01 2021
@@ -1,4 +1,7 @@
 \label{Domain_Configuration_Login_Page}
+
+\textbf{Log-in Service}
+
 If your domain has more than one server you have the option to configure whether 
 any of the servers will redirect to another server whenever the log-in page is requested.  This can be useful if you maintain a portal or ``Load Balancer'' server which 
 forms your institution's gateway to LON-CAPA. You can specify the path to which 
@@ -6,6 +9,10 @@
 IP addresses should be exempt from the redirection.  The exemption is useful 
 if you run a monitoring script which tests log-in, course display, and logout periodically for each of your LON-CAPA servers.
 
+\hfill{}
+
+\textbf{Log-in Page Items}
+
 If your domain only has one LON-CAPA server, or you have multiple servers and will 
 display their log-in pages, their appearance can be customized as follows:
 
@@ -17,8 +24,6 @@
 Logos displayed in the login page configuration table are scaled down
 from the full size used in the login-page itself. 
 
-
-
 \hfill{}
 
 \noindent The following elements are configurable: 
@@ -57,6 +62,8 @@
 
 \hfill{}
 
+\textbf{Log-in Help}
+
 Where the ``Contact Helpdesk'' web form is in use it can be configured to include a CAPTCHA
 mechanism to discourage robotic form completion.  There are two types of CAPTCHA to choose
 from -- the ``original'' CAPTCHA which uses a self-contained perl module included with the
@@ -69,10 +76,65 @@
 
 \hfill{}
 
+\textbf{Custom HTML in document head}
+
 The head portion of the log-in page may contain custom mark up (e.g., a script block containing
 javascript for page analytics) in a file which will be uploaded and published public.
 Different custom markup may be uploaded for each server in a domain, and a comma separated list
 of IP addresses may be specified for which the custom markup will not not be included in the page, 
 when the request for the log-in page originates from one of those addresses. A use case for the
 exempt IP addresses is where robotic requests for the log-in page and made from a monitoring
-machine, used to detect when a LON-CAPA server is not working correctly. 
+machine, used to detect when a LON-CAPA server is not working correctly.
+
+\hfill{}
+
+\textbf{Dual login: SSO and non-SSO}
+
+For a LON-CAPA node configured to support Single Sign On (SSO), e.g., by operating as a Shibboleth SP,
+entries in Apache config files (loncapa_apache.conf, if Shibboleth) will cause display of an SSO login page
+when a user without a current LON-CAPA session accesses /adm/roles.  If, instead, it is preferred
+to display /adm/login configured to offer dual SSO log-in (e.g., Shibboleth), and non-SSO login
+(i.e., LON-CAPA), that can be set using the ``Dual login: SSO and non-SSO options'' section.
+
+Check the ``Yes'' radio button for each of the domain's servers which will offer dual login check "Yes" and then set:  
+
+\begin{itemize}
+\item SSO: Text, Image, Alt Text, URL, Tool Tip
+\item non-SSO: Text
+\end{itemize}
+
+The value in the URL field will be /adm/sso for Shibboleth, and the image will be for a button to be clicked
+to load /adm/sso to prompt for SSO login. The alt and title attributes for the button can also be set.
+
+With this in effect the LON-CAPA login page /adm/login will display the following:
+
+\begin{itemize}
+\item Log-in type:
+Immediately followed by the text for either SSO, or non-SSO login, as entered in the ``Dual login: SSO and non-SSO options'' 
+textboxes for SSO and non-SSO.
+
+\item Change?
+A link below the ``Login type:'' line which can be used to toggle between the SSO and non-SSO logins
+
+\item Button (SSO) or Log-in box (non-SSO)
+
+\begin{itemize}
+
+\item SSO - an image (i.e., clickable button) which as uploaded in the SSO option item, with alt text, and a tool tip
+shown when hovering over the button.
+
+\item Non-SSO - standard LON-CAPA login box for username, password, domain and "Log In" button.
+
+\end{itemize}
+
+\end{itemize}
+
+If the SSO service is something other than Shibboleth (e.g., CAS or Sentinel) and the PerlVar lonOtherAuthenUrl has
+been set to a preferred URL (e.g., /adm/sentinel), then the URL item in the SSO entry in the dual login options
+should be set to that preferred URL also.
+
+Note: if the original page request by an unauthenticated user included a query string with any of the following items:
+role, symb, and linkkey, then they will be stored in a token file on the server, for access later to support deep-linking. 
+Similarly, if the query string contained an ltoken item from successful launch from an LTI Consumer, where LON-CAPA is the LTI Provider,
+and for that Consumer LON-CAPA is not configured to accept user information, and the destination is a deep-link URL:
+/tiny/domain/uniqueID, then the LTI number, type (c or d), and tiny URL will be saved as the linkprot item in a token file.

More information about the LON-CAPA-cvs mailing list