---
layout: default
navsection: installguide
title: Install the Single Sign On (SSO) server
...
{% comment %}
Copyright (C) The Arvados Authors. All rights reserved.
SPDX-License-Identifier: CC-BY-SA-3.0
{% endcomment %}
h2(#dependencies). Install prerequisites
The Arvados package repository includes an SSO server package that can help automate much of the deployment.
h3(#install_ruby_and_bundler). Install Ruby and Bundler
{% include 'install_ruby_and_bundler' %}
h3(#install_web_server). Set up a Web server
For best performance, we recommend you use Nginx as your Web server frontend with a Passenger backend to serve the SSO server. The Passenger team provides "Nginx + Passenger installation instructions":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html.
Follow the instructions until you see the section that says you are ready to deploy your Ruby application on the production server.
h2(#install). Install the SSO server
On a Debian-based system, install the following package:
~$ sudo apt-get install arvados-sso-server
~$ sudo yum install arvados-sso-server
/etc/arvados/sso/application.yml
/etc/arvados/sso/database.yml
/etc/arvados/sso/production.rb
~$ ruby -e 'puts "#{rand(2**64).to_s(36)[0,5]}"'
abcde
~$ ruby -e 'puts rand(2**400).to_s(36)'
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
~$ editor /etc/arvados/sso/database.yml
:001 > c = Client.new
:002 > c.name = "joshid"
:003 > c.app_id = "arvados-server"
:004 > c.app_secret = rand(2**400).to_s(36)
=> "save this string for your API server's sso_app_secret"
:005 > c.save!
:006 > quit
server {
listen 127.0.0.1:8900;
server_name localhost-sso;
root /var/www/arvados-sso/current/public;
index index.html;
passenger_enabled on;
# If you're not using RVM, comment out the line below.
passenger_ruby /usr/local/rvm/wrappers/default/ruby;
}
upstream sso {
server 127.0.0.1:8900 fail_timeout=10s;
}
proxy_http_version 1.1;
server {
listen [your public IP address]:443 ssl;
server_name auth.your.domain;
ssl on;
ssl_certificate /YOUR/PATH/TO/cert.pem;
ssl_certificate_key /YOUR/PATH/TO/cert.key;
index index.html;
location / {
proxy_pass http://sso;
proxy_redirect off;
proxy_connect_timeout 90s;
proxy_read_timeout 300s;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# If true, allow new creation of new accounts in the SSO server's internal # user database. allow_account_registration: false # If true, send an email confirmation before activating new accounts in the # SSO server's internal user database (otherwise users are activated immediately.) require_email_confirmation: falseFor more information about configuring backend support for sending email (required to send email confirmations) see "Configuring Action Mailer":http://guides.rubyonrails.org/configuring.html#configuring-action-mailer If @allow_account_registration@ is false, you may manually create local accounts on the SSO server from the Rails console. {% include 'install_rails_command' %} Enter the following commands at the console.
:001 > user = User.new(:email => "test@example.com")
:002 > user.password = "passw0rd"
:003 > user.save!
:004 > quit
use_ldap: title: Example LDAP host: ldap.example.com port: 636 method: ssl base: "ou=Users, dc=example, dc=com" uid: uid email_domain: example.com #bind_dn: "some_user" #password: "some_password"table(table). |_. Option|_. Description| |title |Title displayed to the user on the login page| |host |LDAP server hostname| |port |LDAP server port| |method|One of "plain", "ssl", "tls"| |base |Directory lookup base| |uid |User id field used for directory lookup| |email_domain|Strip off specified email domain from login and perform lookup on bare username| |bind_dn|If required by server, username to log with in before performing directory lookup| |password|If required by server, password to log with before performing directory lookup| h3(#google). Google+ authentication In order to use Google+ authentication, you must use the Google Developers Console to create a set of client credentials. # Go to the Google Developers Console and select or create a project; this will take you to the project page. # On the sidebar, click on *APIs & auth* then select *APIs*. ## Search for *Contacts API* and click on *Enable API*. ## Search for *Google+ API* and click on *Enable API*. # On the sidebar, click on *Credentials*; under *OAuth* click on *Create new Client ID* to bring up the *Create Client ID* dialog box. # Under *Application type* select *Web application*. # If the authorization origins are not displayed, clicking on *Create Client ID* will take you to *Consent screen* settings. ## On consent screen settings, enter the appropriate details and click on *Save*. ## This will return you to the *Create Client ID* dialog box. # You must set the authorization origins. Edit @auth.your.domain@ to the appropriate hostname that you will use to access the SSO service: ## JavaScript origin should be @https://auth.your.domain/@ ## Redirect URI should be @https://auth.your.domain/users/auth/google_oauth2/callback@ # Copy the values of *Client ID* and *Client secret* from the Google Developers Console into the Google section of @config/application.yml@, like this:
# Google API tokens required for OAuth2 login.
google_oauth2_client_id: "---YOUR---CLIENT---ID---HERE--"-
google_oauth2_client_secret: "---YOUR---CLIENT---SECRET---HERE--"-