[LON-CAPA-admin] SSO with Luminus?

Guy Albertelli II guy at albertelli.com
Wed May 2 15:11:23 EDT 2007 

Hi Ginny,

>  > We've built it such that we expect the SSO system to act like a
>  > normal Apache authentication handler and thus supplant our
>  > login-screen for the SSO's login screen.
>  >
>  > It's not expecting the SSO to be using lon-capa's normal login
>  > screen in the process in anyway.
>  >
>  > In some more detail the expected process is:
>  >
>  > - lon-capa get's a request for a url
>  > - it tries to find if there is an active session or if not, if
>  > the url is a public one
>  > - if neither of these are true then it attempts to hand the user
>  > request off to the SSO
>  > - the SSO is then expected to do whatever it wants to with the
>  > user, eventually handing the user back with the Apache request
>  > 'user' field filled in)
>  >
>  > This is how Apache Authentication handlers work.
>  >
>  > Thus in the case of SSO we don't expect to ever have the username or
>  > password to hand off.
>  >
>  > If this isn't how Luminus is expecting to work I'd need to know
>  > more about it.  (Is this actually Luminis? Is there some public
>  > docs I could look at?)

>  The Luminis portal is a SunGard Higher Ed product that is based on
> Campus Pipeline and Uportal.  [At this point, there aren't any
> comprehensive public Luminis SSO or GCF (General Connector
> Framework) docs that I know of... Not sure who actually developed
> GCF.  W/in the Luminis world, folks talk about SSOs, GCF and CPIP
> (Campus Pipeline Integration Protocol) and I don't have a clear idea
> of the distinctions between them.]
> 
> One way SSOs are handled on Luminis is by trying to use the existing
> login process with a held a copy of the external system
> username/password and take care of the authentication behind the
> scenes for the user ... that is, we have stored login info for the
> user and submit the authentication request for them and then pass
> back a valid URL/session/cookies to the client. [I believe this is
> GCF stuff.]  With this method we put a pickup.html file on the
> external system to help us handle the cookies/session management,
> but the bulk of the SSO setup is on the Luminis server rather than
> modifications on the external server.


Hrrm, I'd really prefer not modifying the lon-capa login process but
rather hand off the login process completely to Luminis then. 

This way we aren't passing passwords around various webpages.

> The above process works pretty straight forward when the login form
> variable names always stay the same... of course, this isn't the
> case with the LON-CAPA login process where the password variable
> name changes every time you access the login form.  "GRAB"ing the
> changing variable names from the form is supposed to be do-able, but
> I'm trying to figure out if the Apache module on the LON-CAPA server
> might be an easier way to go...

The SSO support in lon-capa expects an Apache Authentication module to
take care of the authetication.

It wants it module to take care of the initial full username/password
authentication and any existing SSO session authetication.


We expect the SSO Apache Authentication module to work like ever other
Apache Authentication module.


> A couple of questions about LON-CAPA and the Apache module:
> - I'm assuming that the LON-CAPA system use the Apache web server
> and the SSO module is just an add-on... rather than LON-CAPA using
> something else for web services and then Apache *and* the Apache
> module needing to be installed for the SSO?  Hmmm, reading your
> notes, I think it could be either way?

The SSO mode is an addon if you don't enable the SSO support in
lon-capa, it will just do it's normal authetication. If however you
set in the apache config 'PerlSetVar lonOtherAuthen yes' then
lon-capa's internal Authentication handler if it can't find a valid
lon-capa session, will make use of Apaches' internal Authentication
Module cascade and cascade to whatever authentication handler you have
installed. (in this case it would be the SSO one you have installed)


>  - With the Apache module method, you mention that passwords are not
> handed off... so is this basically a *trust* setup between the
> LON-CAPA server and the portal?  That is, the SSO/LON-CAPA will
> trust the portal and hand off a user session without any direct user
> authentication on LON-CAPA or between LON-CAPA and the portal?

Correct.

LON-CAPA trusts that if the Apache child's internal request->user
field has been set that the value in request->user has been
authenticated and should have a lon-capa session immeadiately started.


> I saw some notes that you wrote in a previous post

I assume you mean 
http://mail.lon-capa.org/pipermail/lon-capa-admin/2006-November/001568.html

>... how do we get the LON-CAPA 
> SSO Apache module and install info?

There isn't a LON-CAPA SSO module, you or your SSO solution must
provide an Apache Authetication Module

This is becuase LON-CAPA has no idea how your SSO works, only your SSO
knows how it works. Apache's Authetication Phase provides an easy to
use interface to insert your SSO solution into the normal
Apache Authentication flow.

All configuration options that lon-capa provides (what to do if the
user auths with SSO but lon-capa doesn't know who the user is, what to
do if the user logged in using SSO and is logging out,etc ) is explained in
the above message.

If Luminis doesn't provide an apache authentication module already,
building one shouldn't be that hard.  Let me know if you'd like any
assitance with this.

-- 
guy at albertelli.com   0-7-0-9-27,137

More information about the LON-CAPA-admin mailing list