The procedure for enabling institutional Single Sign On (SSO) via a central authentication service (CAS) that is not Shibboleth involves building or installing a CAS Apache module. That module might be a home-grown CAS-type module provided by your institution, or it might be the standard mod_auth_cas module, available from the Apereo CAS project (see: https://github.com/apereo/mod_auth_cas ). In addition, you will need to modify the Apache configuration for your LON-CAPA server to (a) load the module, and (b) configure LON-CAPA to use it, by default, when unauthenticated users access /adm/roles.
If your server will be part of the cluster of collaborating institutions, it is possible that users from other LON-CAPA domains might visit your server to log-in to LON-CAPA. To support that possibility, it is recommended that the CAS log-in page includes a link to point back at /adm/login on your LON-CAPA server, and the link is identified as one to be followed by users from other domains. See: https://loncapa.msu.edu/adm/roles, for an example.
In order for Apache to use your CAS system you need to set the PerlVar lonOtherAuthen to yes, and provide the default domain for SSO users and the authentication type (i.e., the name of your CAS).
PerlSetVar lonOtherAuthen yes PerlSetVar lonOtherAuthenType CAS PerlSetVar lonSSOUserDomain <dom> LoadModule auth_cas_module modules/mod_auth_cas.so
where < dom > is your domain, and mod_auth_cas.so is the name of the CAS shared object. You might put the config file (cas.conf) in: /etc/httpd/conf.d/ (CentOS/Red Hat/Scientific Linux), or in /etc/apache2/conf.d/ (SuSE/SLES) or /etc/apache2/conf-available (Ubuntu, and enabled with: sudo a2enconf).
Add a file to your Apache conf directory named loncapa_apache_local < dom > .conf, where < dom > is domain, to include items such as:
PerlSetVar lonSSOUserLogoutHeadFile_<dom> /home/httpd/html/adm/sso_logout_head PerlSetVar lonSSOUserLogoutMessageFile_<dom> /home/httpd/html/adm/sso_logout_body PerlSetVar lonSSOUserUnknownRedirect /adm/sso_failed_login.html PerlSetVar lonSSOReloginServer https://somehost.somewhere.edu
and add the corresponding files owned by www:www in /home/httpd/html/adm/
Notes:
If the name of the PerlVar ends _ < dom > then the HTML fragment is only displayed to SSO users from that particular domain. It is possible that a LON-CAPA user from another domain might have used SSO authentication on a server in his/her home domain, and then switched session to your server, (e.g., for co-author access to an Authoring Space in your domain). In that particular case, if you wanted to display custom HTML, you should add a PerlVar with a name ending in _ < otherdom > . If you include PerlVars for lonSSOUserLogoutHeadFile and/or lonSSOUserLogoutMessageFile they will be included for SSO users who use the Logout link on your LON-CAPA regardless of the user's domain.