2.5. Authentication

OnTask comes with the following authentication mechanisms: IMS-LTI, REMOTE_USER variable, basic authentication, and LDAP. The first three (IMS-LTI, REMOTE_USER and basic authentication) are enabled by default and used in that order whenever an unauthenticated request is received. It follows a brief description of how to configure them.

  • IMS Learning Tools Interoperability (IMS-LTI). LTI is a standard developed by the IMS Global Learning Consortium to integrate multiple tools within a learning environment. In LTI terms, OnTask is configured to behave as a tool provider and assumes a tool consumer such as a Learning Management System to invoke its functionality. Any URL in OnTask can be given to the LTI consumer as the point of access.

    Ontask only provides two points of access for LTI requests coming from the consumer. One is the URL with suffix /lti_entry and the second is the URL provided by the actions to serve the personalized content (accessible through the Actions menu.

    To allow LTI access you need:

    1. A tool consumer that can be configured to connect with OnTask. This type of configuration is beyond the scope of this manual.

    2. A set of pairs key,value in OnTask to be given to the tool consumers so that together with the URL, they are ready to send the requests. The key/value pairs need to be included as an additional variables in the file local.env in the folder settings together with other local configuration variables. For example,

      LTI_OAUTH_CREDENTIALS=key1=secret1,key2=secret2
      
    3. OnTask needs to identify those roles from the external tool mapped to the instructor role. This mapping is provided through a list of those roles in the following configuration variable:

      LTI_INSTRUCTOR_GROUP_ROLES=Instructor
      

    If you change the values of these variables, you need to restart the server so that the new values are in effect. This authentication has only basic functionality and it is assumed to be used only for learners (not for instructors).

  • REMOTE_USER. The second method uses the variable REMOTE_USER that is assumed to be defined by an external application. This method is ideal for environments in which users are already authenticated and are redirected to the OnTask pages (for example, using SAML). If OnTask receives a request from a non-existent user through this channel, it automatically and transparently creates a new user in the platform with the user name stored in the REMOTE_USER variable. OnTask relies on emails to identify different user names, so if you plan to use this authentication method make sure the value of REMOTE_USER is the email.

    Additionally, this mode of authentication will be enforced in all requests reaching OnTask. However, this configuration prevents the recording of email reads. Read the section Email Configuration to configure the server to allow such functionality to be properly configured.

  • Basic authentication. If the variable REMOTE_USER is not set in the internal environment of Django where the web requests are served, OnTask resorts to conventional authentication requiring email and password. These credentials are stored in the internal database managed by OnTask.

The API can be accessed using through token authentication. The token can be generated manually through the user profile page. This type of authentication may need some special configuration in the web server (Apache or similar) so that the HTTP_AUTHORIZATION header is not removed.

2.5.1. LDAP Authentication

OnTask may also be configured to use LDAP to authenticate users. This is done through the external package django-auth-ldap. In its current version, this authentication mode cannot be combined with the previous ones (this requires some non-trivial code changes). The following instructions describe the basic configuration to enable LDAP authentication. For more details check the documentation of the django-auth-ldap module.

  • Stop OnTask (if it is running)

  • Make sure your server has installed the development files for OpenLDAP. In Debian/Ubuntu, the required packages are:

    libsasl2-dev python-dev libldap2-dev libssl-dev
    

    In RedHat/CentOS:

    python-devel openldap-devel
    
  • Install the module django-auth-ldap

  • Edit the configuration file local.env and add the following two variable definitions:

    AUTH_LDAP_SERVER_URI=[uri pointing to your ldap server]
    AUTH_LDAP_PASSWORD=[Password to connect to the server]
    
  • Edit the file settings/base.py and uncomment the lines that import the ldap library (import ldap) and the lines that import three methods from the django_auth_ldap.config module (LDAPSearch, GroupOfNamesType and LDAPGroupQuery)

  • Locate the section in the file settings/base.py that contains the variables to configure LDAP AUTHENTICATION.

  • Uncomment the ones needed for your configuration. Make sure all the information is included to connect to the server, perform the binding, search, and if needed, assign fields to user and group attributes.

  • Locate the variable AUTHENTICATION_BACKENDS in the same file.

  • Comment the lines referring to the back-ends LTIAuthBackend and RemoteUserBackend.

  • Uncomment the line referring to LDAPBackend.

  • Make sure the LDAP server contains the data about the users in the right format

  • Start the OnTask server.