--- loncom/html/adm/help/tex/Institutional_Integration_Shibboleth.tex	2014/09/07 13:12:00	1.1
+++ loncom/html/adm/help/tex/Institutional_Integration_Shibboleth.tex	2021/12/17 21:36:24	1.6
@@ -16,11 +16,9 @@ To configure a LON-CAPA server as a Shib
 \end{itemize}
 
 Although Shibboleth can be built on any 32 or 64 bit Linux distro on which LON-CAPA is supported,
-official packages are available from http://shibboleth.net for: Red Hat/CentOS 5, 6 and 7,
-SLES 10 & 11, and openSuSE 12.1, 12.2, and 12.3.
-In addition, http://www.switch.ch provides a repository from which shibboleth packages
-may be obtained for Ubuntu 12.04 LTS and 14.04 LTS.
-
+official packages are available via http://shibboleth.net for: Red Hat/CentOS 5, 6, 7, and 8,
+and SLES 11, and 12. For SLES 12 and 15 shibboleth is available from suse.com, and for Ubuntu, 
+Shibboleth packages are available from standard repos for Ubuntu 14.04, 16.04, 18.04 and 20.04.
 
 \begin{enumerate}
 
@@ -29,38 +27,33 @@ may be obtained for Ubuntu 12.04 LTS and
 See:
 https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxInstall
 
-Shibboleth repos for RPM-based Linux distros can be found at:
-
-http://download.opensuse.org/repositories/security:/shibboleth/
+For Red Hat/CentOS the text to include in a shibboleth.repo file to be placed in
+/etc/yum.repos.d can be generated at:
+https://shibboleth.net/downloads/service-provider/RPMS/
 
-Red Hat/CentOS -- add shibboleth.repo to /etc/yum.repos.d
-
-e.g., CentOS 5
+e.g., CentOS 6
 
 \begin{verbatim}
-
-[security_shibboleth]
-name=Shibboleth (CentOS_5)
+[shibboleth]
+name=Shibboleth (CentOS_CentOS-6)
 type=rpm-md
-baseurl=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_5/
+mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_CentOS-6
 gpgcheck=1
-gpgkey=http://download.opensuse.org/repositories/security:/shibboleth/CentOS_5/
-repodata/repomd.xml.key
+gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
+        https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key
 enabled=1
 \end{verbatim}
 
-e.g., CentOS 6
+e.g., CentOS 7
 
 \begin{verbatim}
-
-[security_shibboleth]
-name=Shibboleth (CentOS_6)
+[shibboleth]
+name=Shibboleth (CentOS_7)
 type=rpm-md
-baseurl=http://download.opensuse.org/repositories/security:/shibboleth/
-CentOS_CentOS-6/
+mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_7
 gpgcheck=1
-gpgkey=http://download.opensuse.org/repositories/security:/shibboleth/
-CentOS_CentOS-6/repodata/repomd.xml.key
+gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
+        https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key
 enabled=1
 \end{verbatim}
 
@@ -69,7 +62,7 @@ Then do:
 yum install shibboleth
 \end{verbatim}
 
-SLES/openSuSE:
+SLES:
 
 e.g. SLES 11 SP3:
 
@@ -80,26 +73,23 @@ zypper refresh
 zypper install shibboleth
 \end{verbatim}
 
-e.g. SuSE 12.3
+e.g. SLES 12 SP5
+
 \begin{verbatim}
-zypper addrepo http://download.opensuse.org/repositories/security:shibboleth/
-openSUSE_12.3/security:shibboleth.repo
-zypper refresh
-zypper install shibboleth
+SUSEConnect -p SLES/12.5/x86_64 -r <registration-code>
+zypper install shibboleth-sp-2.5.5-6.6.1
 \end{verbatim}
 
-e.g., Ubuntu 12.04LTS
+e.g., SLES 15 SP4
+\begin{verbatim}
+SUSEConnect -p sle-module-server-applications/15.4/x86_64
+zypper install shibboleth-sp-3.1.0-3.3.1
+\end{verbatim}
 
-See: https://www.switch.ch/aai/docs/shibboleth/SWITCH/2.5/sp/deployment/?os=ubuntu
+e.g., Ubuntu 20.04LTS
 
 \begin{verbatim}
-sudo apt-get install curl
-sudo curl -k -O http://pkg.switch.ch/switchaai/SWITCHaai-swdistrib.asc
-sudo apt-key add SWITCHaai-swdistrib.asc
-echo 'deb http://pkg.switch.ch/switchaai/ubuntu precise main' | 
-sudo tee /etc/apt/sources.list.d/SWITCHaai-swdistrib.list $>$ /dev/null
-sudo apt-get update
-sudo apt-get install shibboleth
+sudo apt install --install-recommends shibboleth
 \end{verbatim}
 
 The following directories will have now been created:
@@ -247,7 +237,26 @@ either the value of the PerlVar lonSSOUs
 If the attribute used for REMOTE\_USER is in the form: username@somewhere.edu, and somewhere.edu is
 the ``internet domain'' (i.e., the last item in the colon separated list of entries for your server
 in /home/httpd/lonTabs/hosts.tab), then LON-CAPA will automatically remove the @somewhere.edu, such
-that \$r-$>$user will be just username.
+that \$r-$>$user will be just username, unless the value of the PerlVar lonSSOEmailOK is 1. 
+
+By default, with mod\_shib installed and configured, and shibd running, then entries in LON-CAPA's
+Apache config file: loncapa_apache.conf will result in display of an authentication 
+prompt when a user without a current LON-CAPA session accesses /adm/roles.  If it is preferred
+to display /adm/login configured to offer dual SSO log-in (Shibboleth), and non-SSO login
+(LON-CAPA), set this using the Domain Configuration available to a Domain Coordinator via the web GUI:
+Main Menu $>$ Set domain configuration $>$ Display ("Log-in page options" checked).
+For any of the LON-CAPA domain's servers which will offer dual login check "Yes" and then set:
+
+\begin{itemize}
+\item SSO: Text, Image, Alt Text, URL, Tool Tip
+\item non-SSO: Text
+\end{itemize}
+
+The value in the URL field should be /adm/sso, and the image will be for a button to be clicked
+to load /adm/sso to prompt for Shibboleth authentication. The alt and title attributes for the
+button can also be set. Above the button there will be the text: "Log-in type: " followed by
+the text entered in the SSO configuration for ``Text''. Below that will be a ``Change'' link
+used to toggle between SSO and non-SSO log-in panels. 
 
 \item Add a custom Apache config file to include some PerlVars (for logout etc.)
 
@@ -255,8 +264,8 @@ Add a file to your Apache conf directory
 is domain, to include items such as:
 
 \begin{verbatim}
-PerlSetVar lonSSOUserLogoutMessageFile 
-/home/httpd/html/adm/sso_logout_link_html_frag
+PerlSetVar lonSSOUserLogoutHeadFile_<dom>/home/httpd/html/adm/sso_logout_head
+PerlSetVar lonSSOUserLogoutMessageFile_<dom> /home/httpd/html/adm/sso_logout_body
 PerlSetVar lonSSOUserUnknownRedirect /adm/sso_failed_login.html
 PerlSetVar lonSSOUserDomain <dom>
 \end{verbatim}
@@ -266,9 +275,19 @@ and add the corresponding files owned by
 Notes:
 \begin{enumerate}
 \item
-Both files contain HTML mark-up, but the logout link is just a fragment which will
-be inserted into the standard LON-CAPA logout page, whereas the sso\_failed\_login.html file
-should be a complete HTML document.
+All files will contain HTML mark-up, but the sso\_logout\_head item is a fragment 
+inserted into the head block of the standard LON-CAPA logout page, and similarly,
+the sso\_logout\_body is a fragment inserted into the body of the page, 
+whereas the sso\_failed\_login.html file should be a complete HTML document.
+
+If the name of the PerlVar ends \_$<$dom$>$ then the HTML fragment is only displayed
+to SSO users from that particular domain.  It is possible that a LON-CAPA user from another
+domain might have used SSO authentication on a server in his/her home domain, and then switched
+session to your server, (e.g., for co-author access to an Authoring Space in your domain).
+In that particular case, if you wanted to display custom HTML, you should add a PerlVar with a 
+name ending in \_$<$otherdom$>$. If you include PerlVars for lonSSOUserLogoutHeadFile
+and/or lonSSOUserLogoutMessageFile they will be included for SSO users who use the Logout link
+on your LON-CAPA regardless of the user's domain.
 
 \item
 SAML 2 Single Logout (SLO) has limited support starting with IdP's running Shibboleth 2.4.
@@ -282,7 +301,7 @@ In pre-2.4 Shibboleth2 /etc/shibboleth2.
 e.g.,  https://yourserver/Shibboleth.sso/Logout.
 
 Depending on the availability of SLO support from your institution's IdP you should craft an appropriate 
-message to include in sso\_logout\_link\_html\_frag. If you include a link to the URL for a local logout,
+message to include in sso\_logout\_body. If you include a link to the URL for a local logout,
 you should indicate that access to other web applications using SSO may continue to be available, even
 after logout from the specific SP.  If no local logout is provided, then after logout from LON-CAPA,
 the web browser needs to be quit, to ensure access to LON-CAPA requires re-authentication.
@@ -303,7 +322,7 @@ instead it can come from a customized ge
 
 \end{enumerate}
 
-e.g., sso\_logout\_link\_html\_frag
+e.g., sso\_logout\_body
 
 \begin{verbatim}