Advanced Configuration Topics
This document covers advanced topics that may be of use in supporting and growing your Sakai installation.
For information about Sakai's web services implementation, please visit:
- Web Services Documentation
- Assessment Web Services
- Announcement Web Services
- Content Hosting Web Services
- Web Services with Apache Axis
- CHS Web Services
For a good body of working examples, take a look at the Web services scripts available in the contrib space:
User Directory, Authentication, and Authorization Providers
A number of institutions have created providers to allow a Sakai install to authenticate and authorize users based on the contents of an external service. This section provides links to some of the documentation for the most commonly supported Auth/Auth mechanisms.
- The Enterprise Working Group's LDAP Page
- The SakaiPedia Ldap Integration Page
- The Standford KerberosLdap provider
- A Presentation Regarding Integrating Sakai with LDAP that David Ross presented in Vancounter
- Steve Swinsburg's notes on CAS Integration?
- Enterprise Working Group CAS Integration Page (older)
SakaiPortalLogin Web Service
The SakaiPortalLogin Web service is used to allow a user who has been authenticated in a trusted external system (in most cases this would be a portal) to get into Sakai without having to log in again. Sometimes described as Single Sign On (SSO) this allows a user to move seamlessly from an external system into Sakai without having to login twice. To set this up use the following procedure:
1) Enable Sakai Web Services by adding the following entry to sakai.properties (by default Sakai Web Services are disabled):
- Indicates whether or not we allow web-service logins
1) Add the following entry in your sakai.properties file:
webservice.portalsecret = somePassword
This portalsecret is shared by Sakai and your trusted external system. When the trusted external system passes it to Sakai, Sakai knows that the Web service request is coming from a trusted server.
2) In your trusted external system (e.g. your portal) code a SakaiPortalLogin Web service to communicate with Sakai after the user has authenticated into the external system. Here is an example written in Coldfusion:
<cfinvoke webservice="http://#request.SakaiURL#/sakai-axis/SakaiPortalLogin.jws?wsdl" method="login" returnVariable="returnCode">
<cfinvokeargument name="id" value="the_User's_unique_identifier_in_Sakai"/>
<cfinvokeargument name="pw" value="the_portalSecret"/>
If Sakai accepts the user's id and the portalsecret passed by the SakaiPortalLogin it will return a session (in the above Coldfusion example that session is contained in the variable "returnCode").
3) Add the following link to a Web page in the external system:
<a href=http://#request.SakaiURL#/portal?sakai.session=#returnCode#' >SSO to Sakai</a>
Modify the above link so that the sakai.session parameter contains the session returned by your SakaiPortalLogin Web service.
When the user clicks on the above link they get into Sakai through single-sign-on (SSO)!
Note 1: SakaiPortalLogin requires Sakai to have accounts that are identified using an identifier that matches the id passed by the SakaiPortalLogin Web service. You can pre-load these accounts using Sakai Web services or you can add them on the fly using Web services.
Note 2: Make sure your trusted external system and Sakai communicate in ways that can't be overheard – otherwise somebody might be able to figure out what the portalSecret is.
Note 3: If you want Sakai users to exclusively navigate (and authenticate) into Sakai through the external portal you can configure Sakai so that the top login on Sakai links to the external system. To do this set the following parameters in sakai.properties:
Admins can still log into Sakai directly by going to