3 navsection: installguide
4 title: Install Single Sign On (SSO) server
7 h2(#dependencies). Install dependencies
9 h3(#install_ruby_and_bundler). Install Ruby and Bundler
11 {% include 'install_ruby_and_bundler' %}
13 h3(#install_web_server). Set up a Web server
15 For best performance, we recommend you use Nginx as your Web server frontend with a Passenger backend to serve the SSO server. The Passenger team provides "Nginx + Passenger installation instructions":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html.
17 Follow the instructions until you see the section that says you are ready to deploy your Ruby application on the production server.
19 h2(#install). Install the SSO server
21 On a Debian-based system, install the following package:
24 <pre><code>~$ <span class="userinput">sudo apt-get arvados-sso-server</span>
28 On a Red Hat-based system, install the following package:
31 <pre><code>~$ <span class="userinput">sudo yum install arvados-sso-server</span>
35 h2(#configure). Configure the SSO server
37 The package has installed three configuration files in @/etc/arvados/sso@:
40 <pre><code>/etc/arvados/sso/application.yml
41 /etc/arvados/sso/database.yml
42 /etc/arvados/sso/production.rb
46 The SSO server runs from the @/var/www/arvados-sso/current/@ directory. The files @/var/www/arvados-sso/current/config/application.yml@, @/var/www/arvados-sso/current/config/database.yml@ and @/var/www/arvados-sso/current/config/environments/production.rb@ are symlinked to the configuration files in @/etc/arvados/sso/@.
48 The SSO server reads the @config/application.yml@ file, as well as the @config/application.defaults.yml@ file. Values in @config/application.yml@ take precedence over the defaults that are defined in @config/application.defaults.yml@. The @config/application.yml.example@ file is not read by the SSO server and is provided for installation convenience only.
50 Consult @config/application.default.yml@ for a full list of configuration options. Local configuration goes in @/etc/arvados/sso/application.yml@, do not edit @config/application.default.yml@.
52 h3(#uuid_prefix). uuid_prefix
54 Generate a uuid prefix for the single sign on service. This prefix is used to identify user records as originating from this site. It must be exactly 5 lowercase ASCII letters and/or digits. You may use the following snippet to generate a uuid prefix:
57 <pre><code>~$ <span class="userinput">ruby -e 'puts "#{rand(2**64).to_s(36)[0,5]}"'</span>
59 </code></pre></notextile>
61 Edit @/etc/arvados/sso/application.yml@ and set @uuid_prefix@ in the "common" section.
63 h3(#secret_token). secret_token
65 Generate a new secret token for signing cookies:
68 <pre><code>~$ <span class="userinput">ruby -e 'puts rand(2**400).to_s(36)'</span>
69 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
70 </code></pre></notextile>
72 Edit @/etc/arvados/sso/application.yml@ and set @secret_token@ in the "common" section.
74 There are other configuration options in @/etc/arvados/sso/application.yml@. See the "Authentication methods":install-sso.html#authentication_methods section below for more details.
76 h2(#database). Set up the database
78 If PostgreSQL was newly installed as a dependency of the @arvados-sso-server@ package, you will need to start the service.
80 On a Debian-based system:
83 <pre><code>~$ <span class="userinput">sudo service postgresql start</span>
87 On a Red Hat-based system, we also need to initialize the database system:
90 <pre><code>~$ <span class="userinput">sudo service postgresql initdb</span>
91 ~$ <span class="userinput">sudo service postgresql start</span>
95 {% include 'notebox_begin' %}
97 If you are installing on CentOS6, you will need to modify PostgreSQL's configuration to allow password authentication for local users. The default configuration allows 'ident' only. The following commands will make the configuration change, and restart PostgreSQL for it to take effect.
100 <pre><code>~$ <span class="userinput">sudo sed -i -e "s/127.0.0.1\/32 ident/127.0.0.1\/32 md5/" /var/lib/pgsql/data/pg_hba.conf</span>
101 ~$ <span class="userinput">sudo sed -i -e "s/::1\/128 ident/::1\/128 md5/" /var/lib/pgsql/data/pg_hba.conf</span>
102 ~$ <span class="userinput">sudo service postgresql restart</span>
105 {% include 'notebox_end' %}
108 Next, generate a new database password. Nobody ever needs to memorize it or type it, so make a strong one:
111 <pre><code>~$ <span class="userinput">ruby -e 'puts rand(2**128).to_s(36)'</span>
112 abcdefghijklmnopqrstuvwxyz012345689
113 </code></pre></notextile>
115 Configure the SSO server to connect to your database by updating @/etc/arvados/sso/database.yml@. Replace the @xxxxxxxx@ database password placeholder with the new password you generated above. Be sure to update the @production@ section.
118 <pre><code>~$ <span class="userinput">edit /etc/arvados/sso/database.yml</span>
119 </code></pre></notextile>
121 Create a new database user with permission to create its own databases.
124 <pre><code>~$ <span class="userinput">sudo -u postgres createuser --createdb --encrypted -R -S --pwprompt arvados_sso</span>
125 Enter password for new role: <span class="userinput">paste-database-password-you-generated</span>
126 Enter it again: <span class="userinput">paste-database-password-you-generated</span>
127 </code></pre></notextile>
129 Rails will take care of creating the database, based on the information from @/etc/arvados/sso/database.yml@.
131 Alternatively, if the database user you intend to use for the SSO server should not be allowed to create new databases, the user and the database can be created like this:
134 <pre><code>~$ <span class="userinput">sudo -u postgres createuser --encrypted -R -S --pwprompt arvados_sso</span>
135 Enter password for new role: <span class="userinput">paste-database-password-you-generated</span>
136 Enter it again: <span class="userinput">paste-database-password-you-generated</span>
137 ~$ <span class="userinput">sudo -u postgres createdb arvados_sso_production -E UTF8 -O arvados_sso -T template0</span>
138 </code></pre></notextile>
140 h2(#reconfigure_package). Reconfigure the package
142 Now that the @/etc/arvados/sso/application.yml@ and @/etc/arvados/sso/database.yml@ files have been updated, we need to reconfigure our installed package. Doing so will create and/or initialize the database and precompile the assets.
144 On a Debian-based system:
147 <pre><code>~$ <span class="userinput">sudo dpkg-reconfigure arvados-sso-server</span>
151 On a Red Hat-based system, we need to reinstall the package instead:
154 <pre><code>~$ <span class="userinput">sudo yum reinstall arvados-sso-server</span>
158 h2(#client). Create arvados-server client
160 Use @rails console@ to create a @Client@ record that will be used by the Arvados API server. The values of @app_id@ and @app_secret@ correspond to the values for @sso_app_id@ and @sso_app_secret@ in the "API server's SSO settings.":install-api-server.html#omniauth
163 <pre><code>~$ <span class="userinput">ruby -e 'puts rand(2**400).to_s(36)'</span>
164 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
165 ~$ <span class="userinput">RAILS_ENV=production bundle exec rails console</span>
166 :001 > <span class="userinput">c = Client.new</span>
167 :002 > <span class="userinput">c.name = "joshid"</span>
168 :003 > <span class="userinput">c.app_id = "arvados-server"</span>
169 :004 > <span class="userinput">c.app_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"</span>
170 :005 > <span class="userinput">c.save!</span>
171 :006 > <span class="userinput">quit</span>
175 h2(#configure_web_server). Configure your web server
177 Edit the http section of your Nginx configuration to run the Passenger server and act as a frontend for it. You might add a block like the following, adding SSL and logging parameters to taste:
181 listen 127.0.0.1:8900;
182 server_name localhost-sso;
184 root /var/www/arvados-sso/current/public;
187 passenger_enabled on;
188 # If you're not using RVM, comment out the line below.
189 passenger_ruby /usr/local/rvm/wrappers/default/ruby;
193 server 127.0.0.1:8900 fail_timeout=10s;
196 proxy_http_version 1.1;
199 listen <span class="userinput">[your public IP address]</span>:443 ssl;
200 server_name auth.<span class="userinput">your.domain</span>;
203 ssl_certificate <span class="userinput">/YOUR/PATH/TO/cert.pem</span>;
204 ssl_certificate_key <span class="userinput">/YOUR/PATH/TO/cert.key</span>;
209 proxy_pass http://sso;
211 proxy_connect_timeout 90s;
212 proxy_read_timeout 300s;
214 proxy_set_header X-Forwarded-Proto https;
215 proxy_set_header Host $http_host;
216 proxy_set_header X-Real-IP $remote_addr;
217 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
223 Finally, restart Nginx and your Arvados SSO server should be up and running. You can verify that by visiting the URL you configured your Nginx web server to listen on in the server section above (port 443). Read on if you want to configure your Arvados SSO server to use a different authentication backend.
225 h2(#authentication_methods). Authentication methods
227 Authentication methods are configured in @application.yml@. Currently three authentication methods are supported: local accounts, LDAP, and Google+. If neither Google+ nor LDAP are enabled, the SSO server defaults to local user accounts. Only one authentication mechanism should be in use at a time.
229 h3(#local_accounts). Local account authentication
231 There are two configuration options for local accounts:
234 # If true, allow new creation of new accounts in the SSO server's internal
236 allow_account_registration: false
238 # If true, send an email confirmation before activating new accounts in the
239 # SSO server's internal user database (otherwise users are activated immediately.)
240 require_email_confirmation: false
243 For more information about configuring backend support for sending email (required to send email confirmations) see "Configuring Action Mailer":http://guides.rubyonrails.org/configuring.html#configuring-action-mailer
245 If @allow_account_registration@ is false, you may manually create local accounts on the SSO server from the rails console:
248 <pre><code>~$ <span class="userinput">RAILS_ENV=production bundle exec rails console</span>
249 :001 > <span class="userinput">user = User.new(:email => "test@example.com")</span>
250 :002 > <span class="userinput">user.password = "passw0rd"</span>
251 :003 > <span class="userinput">user.save!</span>
252 :004 > <span class="userinput">quit</span>
256 h3(#ldap). LDAP authentication
258 The following options are available to configure LDAP authentication. Note that you must preserve the indentation of the fields listed under @use_ldap@.
263 host: ldap.example.com
266 base: "ou=Users, dc=example, dc=com"
268 email_domain: example.com
269 #bind_dn: "some_user"
270 #password: "some_password"
274 |_. Option|_. Description|
275 |title |Title displayed to the user on the login page|
276 |host |LDAP server hostname|
277 |port |LDAP server port|
278 |method|One of "plain", "ssl", "tls"|
279 |base |Directory lookup base|
280 |uid |User id field used for directory lookup|
281 |email_domain|Strip off specified email domain from login and perform lookup on bare username|
282 |bind_dn|If required by server, username to log with in before performing directory lookup|
283 |password|If required by server, password to log with before performing directory lookup|
285 h3(#google). Google+ authentication
287 In order to use Google+ authentication, you must use the <a href="https://console.developers.google.com" target="_blank">Google Developers Console</a> to create a set of client credentials.
289 # Go to the <a href="https://console.developers.google.com" target="_blank">Google Developers Console</a> and select or create a project; this will take you to the project page.
290 # On the sidebar, click on *APIs & auth* then select *APIs*.
291 ## Search for *Contacts API* and click on *Enable API*.
292 ## Search for *Google+ API* and click on *Enable API*.
293 # On the sidebar, click on *Credentials*; under *OAuth* click on *Create new Client ID* to bring up the *Create Client ID* dialog box.
294 # Under *Application type* select *Web application*.
295 # If the authorization origins are not displayed, clicking on *Create Client ID* will take you to *Consent screen* settings.
296 ## On consent screen settings, enter the appropriate details and click on *Save*.
297 ## This will return you to the *Create Client ID* dialog box.
298 # You must set the authorization origins. Edit @sso.your-site.com@ to the appropriate hostname that you will use to access the SSO service:
299 ## JavaScript origin should be @https://sso.your-site.com/@
300 ## Redirect URI should be @https://sso.your-site.com/users/auth/google_oauth2/callback@
301 # Copy the values of *Client ID* and *Client secret* from the Google Developers Console into the Google section of @config/application.yml@, like this:
304 <pre><code> # Google API tokens required for OAuth2 login.
305 google_oauth2_client_id: <span class="userinput">"---YOUR---CLIENT---ID---HERE--"-</span>
306 google_oauth2_client_secret: <span class="userinput">"---YOUR---CLIENT---SECRET---HERE--"-</span></code></pre></notextile>