loncom/auth/lonshibauth.pm - diff

Return to lonshibauth.pm CVS log

Up to [LON-CAPA] / loncom / auth

Diff for /loncom/auth/lonshibauth.pm between versions 1.12 and 1.14

-version 1.12, 2021/11/03 01:04:02
+version 1.14, 2021/12/12 20:49:26
  Line 1
  # The LearningOnline Network
- # Redirect Shibboleth authentication to designated URL (/adm/sso).
+ # Redirect Single Sign On authentication to designated URL:
+ # /adm/sso, by default.
  #
  # $Id$
  #
- Line 28
+ Line 29
  =head1 NAME
- Apache::lonshibauth - Redirect Shibboleth authentication
+ Apache::lonshibauth - Redirect Single Sign On authentication
  =head1 SYNOPSIS
- Invoked when lonOtherAuthen is set to yes, and type is Shibboleth
+ Invoked when an Apache config file includes:
+ PerlAuthenHandler Apache::lonshibauth
  If server is configured as a Shibboleth SP, the main Apache
- configuration file, e.g.,  /etc/httpd/conf/httpd.conf
+ configuration file, e.g., /etc/httpd/conf/httpd.conf
  (for RHEL/CentOS/Scentific Linux/Fedora) should contain:
  LoadModule mod_shib /usr/lib/shibboleth/mod_shib_22.so
- Line 43  LoadModule mod_shib /usr/lib/shibboleth/
+ Line 45  LoadModule mod_shib /usr/lib/shibboleth/
  or equivalent (depending on Apache version)
  before the line to include conf/loncapa_apache.conf
+ If some other Apache module is in use for Single Sign On
+ authentication e.g., mod_auth_cas or mod_sentinel,
+ then a separate config file should be created which
+ includes settings for the authentication module.
  =head1 INTRODUCTION
- Redirects a user requiring Single Sign On via Shibboleth to a
+ Redirects a user requiring Single Sign On to a URL on the server
- URL -- /adm/sso -- on the server which is configured to use that service.
+ which is configured to use that service. The default URL is:
+ /adm/sso.
+ If this is to be used with a Single Sign On service other Shibboleth
+ then an Apache config file needs to be loaded which:
+ (a) loads the corresponding Apache module, and
+ (b) sets appropriate values for perl vars in
+ an <IfModule mod_***></IfModule> block, and
+ (c) sets an appropriate value for AuthType in a
+ <Location /adm/sso><IfModule mod_***>
+ </IfModule></Location> block, which also contains
+ require valid-user
+ PerlAuthzHandler       Apache::lonshibacc
+ PerlAuthzHandler       Apache::lonacc
+ In the case of Shibboleth no additional file is needed
+ because loncapa_apache.conf already contains:
+ <IfModule mod_shib>
+     PerlAuthenHandler Apache::lonshibauth
+     PerlSetVar lonOtherAuthen yes
+     PerlSetVar lonOtherAuthenType Shibboleth
+ </IfModule>
+ and
+ <Location /adm/sso>
+   Header set Cache-Control "private,no-store,no-cache,max-age=0"
+   <IfModule mod_shib>
+     AuthType shibboleth
+     ShibUseEnvironment On
+     ShibRequestSetting requireSession 1
+     ShibRequestSetting redirectToSSL 443
+     require valid-user
+     PerlAuthzHandler       Apache::lonshibacc
+     PerlAuthzHandler       Apache::lonacc
+     ErrorDocument     403 /adm/login
+     ErrorDocument     500 /adm/errorhandler
+   </IfModule>
+   <IfModule !mod_shib>
+     PerlTypeHandler        Apache::lonnoshib
+   </IfModule>
+ </Location>
+ If the service is not Shibboleth, then (optionally) a URL that is
+ not /adm/sso can be used as the URL for the service, e.g., /adm/cas
+ or /adm/sentinel, by setting a lonOtherAuthenUrl perl var
+ in an Apache config file containing (for example):
+ PerlSetVar lonOtherAuthenUrl /adm/sentinel
+ <IfModule mod_sentinel>
+     PerlAuthenHandler Apache::lonshibauth
+     PerlSetVar lonOtherAuthen yes
+     PerlSetVar lonOtherAuthenType Sentinel
+ </IfModule>
+ <Location /adm/sentinel>
+   Header set Cache-Control "private,no-store,no-cache,max-age=0"
+   <IfModule mod_sentinel>
+     AuthType Sentinel
+     require valid-user
+     PerlAuthzHandler  Apache::lonshibacc
+     PerlAuthzHandler  Apache::lonacc
+     ErrorDocument     403 /adm/login
+     ErrorDocument     500 /adm/errorhandler
+   </IfModule>
+   <IfModule !mod_sentinel>
+     PerlTypeHandler        Apache::lonnoshib
+   </IfModule>
+ </Location>
+ In the example above for Sentinel SSO, it would also be possible to
+ use /adm/sso instead of /adm/sentinel, in which case (i) there would be
+ no need to define lonOtherAuthenUrl, (ii) there would be <Location /adm/sso>
+ and (iii) the <IfModule !></IfModule> block would not be needed as
+ it is already present in /etc/httpd/conf/loncapa_apache.conf.
  =head1 HANDLER SUBROUTINE
- Line 54  This routine is called by Apache and mod
+ Line 145  This routine is called by Apache and mod
  =over 4
- If $r->user defined and requested uri not /adm/sso
+ If $r->user is defined and requested URL is not /adm/sso or
- redirect to /adm/sso
+ other specific URL as set by a lonOtherAuthenUrl perlvar,
+ then redirect to /adm/sso (or to the specific URL).
+ Otherwise return DECLINED.
+ In the case of redirection a query string is appended,
+ which will contain either (a) the originally requested URL,
+ if not /adm/sso (or lonOtherAuthenUrl URL), and
+ any existing query string in the original request, or
+ (b) if original request was for /tiny/domain/uniqueID,
+ or if redirect is to /adm/login to support dual SSO and
+ non-SSO, a query string which contains sso=tokenID, where the
+ token contains information for deep-linking to course/resource.
+ Support is included for use of LON-CAPA's standard log-in
+ page -- /adm/login -- to support dual SSO and non-SSO
+ authentication from that "landing" page.
+ To enable dual SSO and non-SSO access from /adm/login
+ a Domain Coordinator will use the web GUI:
+ Main Menu > Set domain configuration > Display
+ ("Log-in page options" checked)
+ and for any of the LON-CAPA domain's servers which
+ will offer dual login will check "Yes" and then set:
+ (a) SSO Text, Image, Alt Text, URL, Tool Tip
+ (b) non-SSO: Text
+ The value in the URL field should be /adm/sso,
+ or the same URL as set for the lonOtherAuthenUrl
+ perl var, e.g., /adm/sentinel.
- Otherwise return DECLINED
+ =back
+ =head1 NOTABLE SUBROUTINES
+ =over 4
+ =item set_token()
+ Inputs: 2
+ $r - request object
+ $lonhost - hostID of current server
+ Output: 1
+ $querystring - query string to append to URL
+ when redirecting.
+ If any of the following items are present in the original query string:
+ role, symb, and linkkey, then they will be stored in the token file
+ on the server, for access later to support deep-linking.  If the ltoken
+ item is available, from successful launch from an LTI Consumer where
+ LON-CAPA is the LTI Provider, but not configured to accept user
+ information, and the destination is a deep-link URL /tiny/domain/uniqueiD,
+ then the LTI number, type (c or d), and tiny URL will be saved as the
+ linkprot item in a token file.
  =back
- Line 75  use LONCAPA qw(:DEFAULT :match);
+ Line 218  use LONCAPA qw(:DEFAULT :match);
  sub handler {
      my $r = shift;
-     my $target = '/adm/sso';
+     my $ssourl = '/adm/sso';
+     if ($r->dir_config('lonOtherAuthenUrl') ne '') {
+         $ssourl = $r->dir_config('lonOtherAuthenUrl');
+     }
+     my $target = $ssourl;
      if (&Apache::lonnet::get_saml_landing()) {
          $target = '/adm/login';
      }
-     if (($r->user eq '') && ($r->uri ne $target) && ($r->uri ne '/adm/sso')) {
+     if (($r->user eq '') && ($r->uri ne $target) && ($r->uri ne $ssourl)) {
          my $lonhost = $Apache::lonnet::perlvar{'lonHostID'};
          my $hostname = &Apache::lonnet::hostname($lonhost);
          if (!$hostname) { $hostname = $r->hostname(); }
- Line 87  sub handler {
+ Line 234  sub handler {
          unless ($protocol eq 'https') { $protocol = 'http'; }
          my $alias = &Apache::lonnet::use_proxy_alias($r,$lonhost);
          if (($alias ne '') &&
-             (&Apache::lonnet::alias_shibboleth($lonhost))) {
+             (&Apache::lonnet::alias_sso($lonhost))) {
              $hostname = $alias;
          }
          my $dest = $protocol.'://'.$hostname.$target;

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.12
changed lines
	Added in v.1.14