5322: Add documentation to "install SSO" section. (Possibly this should go
[arvados.git] / doc / install / install-sso.html.textile.liquid
1 ---
2 layout: default
3 navsection: installguide
4 title: Install Single Sign On (SSO) server
5 ...
6
7 h2(#dependencies). Install dependencies
8
9 Make sure you have "Ruby and Bundler":install-manual-prerequisites-ruby.html installed.
10
11 h2(#install). Install SSO server
12
13 h3. Get SSO server code and create database
14
15 <notextile>
16 <pre><code>~$ <span class="userinput">cd $HOME</span> # (or wherever you want to install)
17 ~$ <span class="userinput">git clone https://github.com/curoverse/sso-devise-omniauth-provider.git</span>
18 ~$ <span class="userinput">cd sso-devise-omniauth-provider</span>
19 ~/sso-devise-omniauth-provider$ <span class="userinput">bundle install</span>
20 ~/sso-devise-omniauth-provider$ <span class="userinput">RAILS_ENV=production bundle exec rake db:create</span>
21 ~/sso-devise-omniauth-provider$ <span class="userinput">RAILS_ENV=production bundle exec rake db:migrate</span>
22 </code></pre>
23 </notextile>
24
25 h3. Configure Rails secret
26
27 Create a secret:
28
29 <notextile>
30 <pre><code>~/sso-devise-omniauth-provider$ <span class="userinput">cp -i config/initializers/secret_token.rb.example config/initializers/secret_token.rb</span>
31 ~/sso-devise-omniauth-provider$ <span class="userinput">rake secret</span>
32 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
33 </code></pre>
34 </notextile>
35
36 Edit @config/initializers/secret_token.rb@ to set @config.secret_token@ to the string produced by @rake secret@.
37
38 h3. Configure upstream authentication provider
39
40 This will enable users to log in using their existing Google accounts.  If you don't want to use Google for account services, you can also "add accounts manually.":#manual-accounts
41
42 <notextile>
43 <pre><code>~/sso-devise-omniauth-provider$ <span class="userinput">cp -i config/environments/production.rb.example config/environments/production.rb</span>
44 </code></pre>
45 </notextile>
46
47 Edit @config/environments/production.rb@ to set @config.google_oauth2_client_id@ and @config.google_oauth2_client_secret@.  See "Omniauth Google OAuth2 gem documentation":https://github.com/zquestz/omniauth-google-oauth2 and "Using OAuth 2.0 to Access Google APIs":https://developers.google.com/accounts/docs/OAuth2 for information about using the "Google Developers Console":https://console.developers.google.com to get a Google client id and client secret.
48
49 h3(#client). Create arvados-server client
50
51 Use @rails console@ to create a @Client@ record that will be used by the Arvados API server.  The values of @app_id@ and @app_secret@ correspond to the @APP_ID@ and @APP_SECRET@ that must be set in in "Setting up Omniauth in the API server.":install-api-server.html#omniauth
52
53 <notextile>
54 <pre><code>~/sso-devise-omniauth-provider$ <span class="userinput">rake secret</span>
55 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
56 ~/sso-devise-omniauth-provider$ <span class="userinput">RAILS_ENV=production bundle exec rails console</span>
57 :001 &gt; <span class="userinput">c = Client.new</span>
58 :002 &gt; <span class="userinput">c.name = "joshid"</span>
59 :003 &gt; <span class="userinput">c.app_id = "arvados-server"</span>
60 :004 &gt; <span class="userinput">c.app_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"</span>
61 :005 &gt; <span class="userinput">c.save!</span>
62 :006 &gt; <span class="userinput">quit</span>
63 </code></pre>
64 </notextile>
65
66 h2(#manual-accounts). Adding user accounts manually
67
68 Instead of relying on an upstream authentication such as Google, you can create accounts on the SSO server manually.
69
70 <notextile>
71 <pre><code>~/sso-devise-omniauth-provider$ <span class="userinput">RAILS_ENV=production bundle exec rails console</span>
72 :001 &gt; <span class="userinput">user = User.new(:email =&gt; "test@example.com")</span>
73 :002 &gt; <span class="userinput">user.password = "passw0rd"</span>
74 :003 &gt; <span class="userinput">user.save!</span>
75 :004 &gt; <span class="userinput">quit</span>
76 </code></pre>
77 </notextile>
78
79 To log in using a manually created account:
80
81 # Go to https://your-sso-server.hostname.com/users/sign_in
82 # Enter the email address and password and click on "Sign in"
83 # You will arrive at a page "You are now signed in as test@example.com"
84 # Go to https://workbench.your-arvados-instance.hostname.com/
85 # Click on the Workbench "Log in" button.
86 # You should now be logged in to Workbench.  Confirm by looking for the email address displayed in the upper right.
87
88 h2. Start the SSO server
89
90 h3. Run a simple standalone server
91
92 You can use the Webrick server that is bundled with Ruby to quickly verify that your installation is functioning:
93
94 <notextile>
95 <pre><code>~/arvados/services/api$ <span class="userinput">RAILS_ENV=production bundle exec rails server</span>
96 </code></pre>
97 </notextile>
98
99 h3. Production environment
100
101 As a Ruby on Rails application, the SSO server should be compatible with any Ruby application server that supports Rack applications.  We recommend "Passenger":https://www.phusionpassenger.com/ to run the SSO server in production.