--- loncom/html/adm/help/tex/Institutional_Integration_Shibboleth.tex 2014/09/07 13:12:00 1.1
+++ loncom/html/adm/help/tex/Institutional_Integration_Shibboleth.tex 2015/03/26 16:03:55 1.3
@@ -17,7 +17,7 @@ To configure a LON-CAPA server as a Shib
Although Shibboleth can be built on any 32 or 64 bit Linux distro on which LON-CAPA is supported,
official packages are available from http://shibboleth.net for: Red Hat/CentOS 5, 6 and 7,
-SLES 10 & 11, and openSuSE 12.1, 12.2, and 12.3.
+SLES 10 and 11, and openSuSE 12.1, 12.2, and 12.3.
In addition, http://www.switch.ch provides a repository from which shibboleth packages
may be obtained for Ubuntu 12.04 LTS and 14.04 LTS.
@@ -255,8 +255,8 @@ Add a file to your Apache conf directory
is domain, to include items such as:
\begin{verbatim}
-PerlSetVar lonSSOUserLogoutMessageFile
-/home/httpd/html/adm/sso_logout_link_html_frag
+PerlSetVar lonSSOUserLogoutHeadFile_/home/httpd/html/adm/sso_logout_head_frag
+PerlSetVar lonSSOUserLogoutMessageFile_ /home/httpd/html/adm/sso_logout_body_frag
PerlSetVar lonSSOUserUnknownRedirect /adm/sso_failed_login.html
PerlSetVar lonSSOUserDomain
\end{verbatim}
@@ -266,9 +266,19 @@ and add the corresponding files owned by
Notes:
\begin{enumerate}
\item
-Both files contain HTML mark-up, but the logout link is just a fragment which will
-be inserted into the standard LON-CAPA logout page, whereas the sso\_failed\_login.html file
-should be a complete HTML document.
+All files will contain HTML mark-up, but the sso\_logout\_head\_frag item is a fragment
+inserted into the head block of the standard LON-CAPA logout page, and similarly,
+the sso\_logout\_body\_frag is a fragment inserted into the body of the page,
+whereas the sso\_failed\_login.html file should be a complete HTML document.
+
+If the name of the PerlVar ends \_$<$dom$>$ then the HTML fragment is only displayed
+to SSO users from that particular domain. It is possible that a LON-CAPA user from another
+domain might have used SSO authentication on a server in his/her home domain, and then switched
+session to your server, (e.g., for co-author access to an Authoring Space in your domain).
+In that particular case, if you wanted to display custom HTML, you should add a PerlVar with a
+name ending in \_$<$otherdom$>$. If you include PerlVars for lonSSOUserLogoutHeadFile
+and/or lonSSOUserLogoutMessageFile they will be included for SSO users who use the Logout link
+on your LON-CAPA regardless of the user's domain.
\item
SAML 2 Single Logout (SLO) has limited support starting with IdP's running Shibboleth 2.4.