3 navsection: installguide
4 title: Install Single Sign On (SSO) server
7 h2(#dependencies). Install dependencies
9 Make sure you have "Ruby and Bundler":install-manual-prerequisites-ruby.html installed.
11 h2(#install). Install SSO server
13 h3. Get SSO server code and create database
16 <pre><code>~$ <span class="userinput">cd $HOME</span> # (or wherever you want to install)
17 ~$ <span class="userinput">git clone https://github.com/curoverse/sso-devise-omniauth-provider.git</span>
18 ~$ <span class="userinput">cd sso-devise-omniauth-provider</span>
19 ~/sso-devise-omniauth-provider$ <span class="userinput">bundle install</span>
20 ~/sso-devise-omniauth-provider$ <span class="userinput">RAILS_ENV=production bundle exec rake db:create</span>
21 ~/sso-devise-omniauth-provider$ <span class="userinput">RAILS_ENV=production bundle exec rake db:migrate</span>
25 h2. Configure the SSO server
27 First, copy the example configuration file:
30 <pre><code>~/sso-devise-omniauth-provider$ <span class="userinput">cp -i config/application.yml.example config/application.yml</span>
31 </code></pre></notextile>
33 The SSO server reads the @config/application.yml@ file, as well as the @config/application.defaults.yml@ file. Values in @config/application.yml@ take precedence over the defaults that are defined in @config/application.defaults.yml@. The @config/application.yml.example@ file is not read by the SSO server and is provided for installation convenience, only.
35 Consult @config/application.default.yml@ for a full list of configuration options. Always put your local configuration in @config/application.yml@, never edit @config/application.default.yml@.
37 h3(#uuid_prefix). uuid_prefix
39 Define your @uuid_prefix@ in @config/application.yml@ by setting the @uuid_prefix@ field in the section for your environment. This prefix is used for all database identifiers to identify the record as originating from this site. It must be exactly 5 alphanumeric characters (lowercase ASCII letters and digits).
41 h3(#secret_token). secret_token
43 Generate a new secret token for signing cookies:
46 <pre><code>~/sso-devise-omniauth-provider$ <span class="userinput">ruby -e 'puts rand(2**400).to_s(36)'</span>
47 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
48 </code></pre></notextile>
50 Then put that value in the @secret_token@ field.
52 h3(#authentication_methods). Authentication methods
54 Three authentication methods are supported: google OAuth2, ldap, local accounts.
56 h3(#google_oauth2). google_oauth2 authentication
58 Google OAuth2 authentication can be configured with these options.
61 # Google API tokens required for OAuth2 login.
63 # See https://github.com/zquestz/omniauth-google-oauth2
65 # and https://developers.google.com/accounts/docs/OAuth2
66 google_oauth2_client_id: false
67 google_oauth2_client_secret: false
69 # Set this to your OpenId 2.0 realm to enable migration from Google OpenId
70 # 2.0 to Google OAuth2 OpenId Connect (Google will provide OpenId 2.0 user
71 # identifiers via the openid.realm parameter in the OAuth2 flow until 2017).
72 google_openid_realm: false
75 h3(#ldap). ldap authentication
77 LDAP authentication can be configured with these options. Make sure to preserve the indentation of the fields beyond @use_ldap@.
80 # Enable LDAP support.
82 # If you want to use LDAP, you need to provide
83 # the following set of fields under the use_ldap key.
87 # host: ldap.example.com
90 # base: "ou=Users, dc=example, dc=com"
92 # email_domain: example.com
93 # #bind_dn: "some_user"
94 # #password: "some_password"
98 h3(#local_accounts). local account authentication
100 If neither Google OAuth2 nor LDAP are enabled, the SSO server automatically
101 falls back to local accounts. There are two configuration options for local
105 # If true, allow new creation of new accounts in the SSO server's internal
107 allow_account_registration: false
109 # If true, send an email confirmation before activating new accounts in the
110 # SSO server's internal user database.
111 require_email_confirmation: false
114 You can also create local accounts on the SSO server from the rails console:
117 <pre><code>~/sso-devise-omniauth-provider$ <span class="userinput">RAILS_ENV=production bundle exec rails console</span>
118 :001 > <span class="userinput">user = User.new(:email => "test@example.com")</span>
119 :002 > <span class="userinput">user.password = "passw0rd"</span>
120 :003 > <span class="userinput">user.save!</span>
121 :004 > <span class="userinput">quit</span>
125 h2(#client). Create arvados-server client
127 Use @rails console@ to create a @Client@ record that will be used by the Arvados API server. The values of @app_id@ and @app_secret@ correspond to the @APP_ID@ and @APP_SECRET@ that must be set in in "Setting up Omniauth in the API server.":install-api-server.html#omniauth
130 <pre><code>~/sso-devise-omniauth-provider$ <span class="userinput">ruby -e 'puts rand(2**400).to_s(36)'</span>
131 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
132 ~/sso-devise-omniauth-provider$ <span class="userinput">RAILS_ENV=production bundle exec rails console</span>
133 :001 > <span class="userinput">c = Client.new</span>
134 :002 > <span class="userinput">c.name = "joshid"</span>
135 :003 > <span class="userinput">c.app_id = "arvados-server"</span>
136 :004 > <span class="userinput">c.app_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"</span>
137 :005 > <span class="userinput">c.save!</span>
138 :006 > <span class="userinput">quit</span>
142 h2. Start the SSO server
144 h3. Run a simple standalone server
146 You can use the Webrick server that is bundled with Ruby to quickly verify that your installation is functioning:
149 <pre><code>~/arvados/services/api$ <span class="userinput">RAILS_ENV=production bundle exec rails server</span>
153 h3. Production environment
155 As a Ruby on Rails application, the SSO server should be compatible with any Ruby application server that supports Rack applications. We recommend "Passenger":https://www.phusionpassenger.com/ to run the SSO server in production.