# HG changeset patch
# User Sebastien Jodogne <s.jodogne@gmail.com>
# Date 1761384733 -7200
# Node ID 76bc30dfeeb51d7f23d39b549c2705d07911e495
# Parent  d2755c9d4c474f76db0e9371390ae338c7126fe6
cont

diff -r d2755c9d4c47 -r 76bc30dfeeb5 Sphinx/source/plugins/education.rst
--- a/Sphinx/source/plugins/education.rst	Fri Oct 24 18:13:36 2025 +0200
+++ b/Sphinx/source/plugins/education.rst	Sat Oct 25 11:32:13 2025 +0200
@@ -148,17 +148,37 @@
 
 The way the Education plugin authenticates administrators and standard
 users is specified in the :ref:`configuration file of Orthanc
-<configuration>`. The following authentication mechanisms are
+<configuration>`. The authentication process for administrators can
+differ from the one used for standard users. As of release 1.0 of the
+Education plugin, the following authentication mechanisms are
 available:
 
 * **Login**. In this case, the Education plugin displays a login page
   where the user can enter their credentials, which are specified in
-  the configuration file.
+  the configuration file. Internally, after a successful login, user
+  information is stored as a `JWT
+  <https://en.wikipedia.org/wiki/JSON_Web_Token>`__ session cookie
+  named ``orthanc-education-user``.
+
+* **HTTP headers**. In this case, the user identity is determined by
+  the presence of a specific HTTP header, specified in the
+  ``AuthenticationHttpHeader`` configuration option. This approach can
+  be used in the standalone mode of operation, when `single sign-on
+  (SSO) <https://en.wikipedia.org/wiki/Single_sign-on>`__ is
+  implemented within an institution. At UCLouvain, this authentication
+  mode has been validated with `Shibboleth
+  <https://en.wikipedia.org/wiki/Shibboleth_(software)>`__ in
+  combination with the ``libapache2-mod-shib`` module, with Apache
+  acting as a :ref:`reverse proxy <apache>`. Two options are available
+  for header-based authentication:
+
+  * **Restricted**:
+
+  * **Unrestricted**:
 
 
 
-
-
+Precedence of cookies
 
 Labels