** Using WeBWorK **

A group of modules that implements the IMS LTI Basic (1.0) authentication protocol for WeBWorK is now available. For details, please see the wiki page http://webwork.maa.org/wiki/LTI-Basic_Authentication .

In addition to implementing LTI Basic, the Authen.pm module has been enhanced in several ways. First, the module can now handle a sequence of authentication hashes, in which each module can, in turn, be queried as to whether it can handle a particular incoming request. This makes it possible for a site to use several alternative, external authentication methods with the option of falling back to WeBWorK's basic password authentication if none of the external authentication modules can handle the request. For instance, here at Indiana University, Bloomington, we use a sequence of the form (LTIBasic, IU-CAS, Basic), where LTIBasic handles authentications from IU's Oncourse/Sakai course management system for students, TA's, and instructors; IU-CAS handles logins from WeBWorK administrators using IU's Central Authentication System; and Basic handles ongoing session management using session cookies.

This new capability simplifies the implementation of new, external authentication modules, because a new module need only provide the methods to process the initial login request and can then fall-back to other modules to handle ongoing session management.

The revised Authen.pm is backwards compatible and will accept a single authentication hash or just the name of an authentication module as heretofore.

Second, Authen.pm has been modified to support session management either via session cookies or via the Key database (the existing option). Using session cookies obviates the need to acquire a write lock on the Key database for each request in order to update the timestamp in the Key database. Whether session management is done via session cookies or the Key database is determined by the value of the environment variable $session_management_via which can be set in global.conf or in course.conf. The options are
$session_management_via="session_cookie" and
$session_management_via="key"

If one is using a sequence of authentication modules and one wishes to suppress WeBWorK's basic password authentication, then one should set $external_auth=1 in global.conf or course.conf, because with a sequence of authentication modules one cannot rely upon $authen->{external_auth} being set by a particular authentication module.

For more information, please see the aforementioned wiki page, the new sections in global.conf.dist, and the new and revised program modules.