--- loncom/auth/lonshibacc.pm	2015/01/23 15:57:27	1.2
+++ loncom/auth/lonshibacc.pm	2021/12/06 03:31:54	1.3
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Authorization handler for Shibboleth authenticated users
 #
-# $Id: lonshibacc.pm,v 1.2 2015/01/23 15:57:27 raeburn Exp $
+# $Id: lonshibacc.pm,v 1.3 2021/12/06 03:31:54 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -28,7 +28,8 @@
 
 =head1 NAME
 
-Apache::lonshibacc - Authorization handler if Shibboleth-authenticated
+Apache::lonshibacc - Initial Authorization handler for
+SSO-authenticated users.
 
 =head1 SYNOPSIS
 
@@ -42,8 +43,18 @@ PerlAuthzHandler       Apache::lonshibac
 Authorization handler used to remove trailing @internet dom
 from Shibboleth authenticated username (e.g., @mit.edu).
 
-After making change to $r->user, will return DECLINE so
-lonacc.pm can be invoked as the next authorization handler.
+Authorization handler used to:
+
+(a) remove trailing @internet dom from Shibboleth 
+authenticated username (e.g., @mit.edu),
+unless lonSSOEmailOK perl var is set to 1, and/or
+
+(b) set URI for authenticated user to /adm/sso, if
+lonOtherAuthenUrl is set.
+
+After making changes to $r->user and/or $r->uri, DECLINED is
+returned so lonacc.pm can be invoked as the next authorization
+handler via:
 
 PerlAuthzHandler       Apache::lonacc
 
@@ -74,9 +85,15 @@ sub handler {
             my $uint_dom = &Apache::lonnet::internet_dom($uprimary_id);
             if ($user =~ /^(\w[a-zA-Z0-9_\-.]+)\@\Q$uint_dom\E$/i) {
                 my $username = $1;
-                $user = $r->user($username);
+                unless ($r->dir_config('lonSSOEmailOK') == 1) {
+                    $user = $r->user($username);
+                }
             }
         }
+        if (($r->dir_config('lonOtherAuthenUrl') ne '') &&
+            ($r->uri eq $r->dir_config('lonOtherAuthenUrl'))) {
+            $r->uri('/adm/sso');
+        }
     }
     return DECLINED;
 }