[LON-CAPA-admin] External Links to Courses

Bynum, Lee Hamilton leebynum at illinois.edu
Fri Dec 16 12:56:12 EST 2016 

Thank you Stuart,

It looks like I was generating that behavior the same way by trying to use the st role in a course where I am cc.

Lee
________________________________________
From: lon-capa-admin-bounces at mail.lon-capa.org [lon-capa-admin-bounces at mail.lon-capa.org] on behalf of Stuart Raeburn [raeburn at msu.edu]
Sent: Friday, December 16, 2016 10:08 AM
To: lon-capa-admin at mail.lon-capa.org
Subject: Re: [LON-CAPA-admin] External Links to Courses

Lee,

>>
>> I tend to be sent to the non-sso login page  when it fails, even if
>>  I am already logged in.
>>

After some more investigation, I am able to reproduce this behavior on
a load balancer using SSO, in the case where the target role included
in the query string is not assigned to the user. A 403 response was
being returned in this case, for which the custom error document is
/adm/login.

Other failure modes (e.g., wrong password etc.) do not result in that
behavior, but instead allow the user to re-enter the correct
credentials, before transferring the user's session to the
session-hosting server, and initializing the requested role (if
legitimate).

Anyway, I have made a change to switchserver.pm to change the behavior
in the case of an invalid target role, so that the user session will
now be transferred to the server hosting the session, and the roles
page is displayed.

If you want to modify a LON-CAPA server running 2.11.1 you can do so
as follows with following command all on one line:

wget -O /home/httpd/lib/perl/Apache/switchserver
'http://source.loncapa.org/cgi-bin/cvsweb.cgi/~checkout~/loncom/auth/switchserver.pm?rev=1.35;content-type=text/plain'

followed by reloading Apache.

The need to use a URL such as:
https://hostname/adm/roles?role=cc./domain/course_identifier

is not ideal, in any case, if you want to simply link to a course from
outside LON-CAPA, because what you'd prefer to do is provide just the
course, e.g., domain/course_identifier, and then have LON-CAPA assign
the role (i.e., cc, st etc. as appropriate).  Better yet would be the
possibility of using a tiny URL, instead of the cumbersome domain and
course identifier.

There is an existing enhancement request for that, see:
http://bugs.loncapa.org/show_bug.cgi?id=6400#c3


Stuart Raeburn
LON-CAPA Academic Consortium


Quoting Stuart Raeburn <raeburn at msu.edu>:

> Hello Lee,
>
> If a query string specifying the target role is appended to a request
> for the URL: /adm/roles then, as long as the user actually has been
> assigned the specified role (and it has neither an expired nor future
> role), then that role will be initialized after login (and after
> session transfer to the session-hosting server -- if load balanced) in
> all of the following cases:
>
> (a) User logs-in using Single Sign On (SSO) via a load balancer server
> (b) User logs-in using the regular (non-SSO) LON-CAPA log-in via a load
> balancer
> (c) User logs-in using SSO to a server which also hosts the user session.
> (d) User logs-in using the regular (non-SSO) LON-CAPA log-in to a
> server which also hosts the user session.
>
> Cases (a) and (c) work in the msu domain for MSU's CAS-type SSO
> (Sentinel). I have also had success in the msu domain for case (c) with
> Shibboleth within a test environment.  I expect Shibboleth would also
> work with case (a) but I don't currently have a test environment at MSU
> configured for a Shibboleth-enabled load balancer.
>
> If the user is already logged-in to a LON-CAPA server "hostname", then
> the roles screen will be displayed for a URL of
> https://hostname/adm/roles?role=cc./domain/course_identifier, and the
> role will not be automatically changed/initialized.
>
>>
>> I tend to be sent to the non-sso login page  when it fails, even if
>>  I am already logged in.
>>
>
> I have not seen that behavior in the cases I've tested in the msu
> domain in either production, or in the testdrive cluster.
>
> It would be straightforward to change the behavior of /adm/roles for
> logged-in users from displaying the standard LON-CAPA roles screen to
> initializing the role when passed a query string containing
> role==cc./domain/course_identifier.
>
> Currently to force role initialization for a logged-in user you would
> use a URL with a different query string, i.e.,
>
> /adm/roles?selectrole=1&cc.%2fdomain%2fcourse_identifier=1
>
> Note: if you include symb=unique_resource_identifier as an additional
> item in the query string, you can jump directly to a specific item in a
> course.
>
>
> Stuart Raeburn
> LON-CAPA Academic Consortium
>
>
> Quoting "Bynum, Lee Hamilton" <leebynum at illinois.edu>:
>
>> Hello Everyone,
>>
>> I am working on building links to our courses from the outside.
>> I've been having some success with links of the following format:
>>
>> https://server/adm/roles?role=cc./domain/course_identifier
>>
>> Unfortunately, this doesn't seem to work once I am logged into the
>>  server.  It also fails if I attempt to use the st role.  I suspect
>>   that something is getting mixed up or lost in either the balancer
>>  or  the sso interaction.  I tend to be sent to the non-sso login
>> page  when it fails, even if I am already logged in.
>>
>> Has anyone had any success in similar things?
>>
>> Thanks,
>>
>> Lee
>> _______________________________________________
>> LON-CAPA-admin mailing list
>> LON-CAPA-admin at mail.lon-capa.org
>> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin
>
> _______________________________________________
> LON-CAPA-admin mailing list
> LON-CAPA-admin at mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

_______________________________________________
LON-CAPA-admin mailing list
LON-CAPA-admin at mail.lon-capa.org
http://mail.lon-capa.org/mailman/listinfo/lon-capa-admin

More information about the LON-CAPA-admin mailing list