---
layout: default
navsection: installguide
title: Install Single Sign On (SSO) server
...
h2(#dependencies). Install dependencies
Make sure you have "Ruby and Bundler":install-manual-prerequisites-ruby.html installed.
h2(#install). Install SSO server
h3. Get SSO server code and create database
~$ cd $HOME # (or wherever you want to install)
~$ git clone https://github.com/curoverse/sso-devise-omniauth-provider.git
~$ cd sso-devise-omniauth-provider
~/sso-devise-omniauth-provider$ bundle install
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:create
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:migrate
h3. Configure Rails secret
Create a secret:
~/sso-devise-omniauth-provider$ cp -i config/initializers/secret_token.rb.example config/initializers/secret_token.rb
~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**400).to_s(36)'
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
Edit @config/initializers/secret_token.rb@ to set @config.secret_token@ to the string produced by @rand@ above.
h3. Configure upstream authentication provider
This will enable users to log in using their existing Google accounts. If you don't want to use Google for account services, you can also "add accounts manually.":#manual-accounts
~/sso-devise-omniauth-provider$ cp -i config/environments/production.rb.example config/environments/production.rb
Edit @config/environments/production.rb@ to set @config.google_oauth2_client_id@ and @config.google_oauth2_client_secret@. See "Omniauth Google OAuth2 gem documentation":https://github.com/zquestz/omniauth-google-oauth2 and "Using OAuth 2.0 to Access Google APIs":https://developers.google.com/accounts/docs/OAuth2 for information about using the "Google Developers Console":https://console.developers.google.com to get a Google client id and client secret.
h3(#client). Create arvados-server client
Use @rails console@ to create a @Client@ record that will be used by the Arvados API server. The values of @app_id@ and @app_secret@ correspond to the @APP_ID@ and @APP_SECRET@ that must be set in in "Setting up Omniauth in the API server.":install-api-server.html#omniauth
~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**400).to_s(36)'
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rails console
:001 > c = Client.new
:002 > c.name = "joshid"
:003 > c.app_id = "arvados-server"
:004 > c.app_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
:005 > c.save!
:006 > quit
h2(#manual-accounts). Adding user accounts manually
Instead of relying on an upstream authentication such as Google, you can create accounts on the SSO server manually.
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rails console
:001 > user = User.new(:email => "test@example.com")
:002 > user.password = "passw0rd"
:003 > user.save!
:004 > quit
To log in using a manually created account:
# Go to https://auth.your.domain/users/sign_in
# Enter the email address and password and click on "Sign in"
# You will arrive at a page "You are now signed in as test@example.com"
# Go to https://workbench.@uuid_prefix@.your.domain/
# Click on the Workbench "Log in" button.
# You should now be logged in to Workbench. Confirm by looking for the email address displayed in the upper right.
h2. Start the SSO server
h3. Run a simple standalone server
You can use the Webrick server that is bundled with Ruby to quickly verify that your installation is functioning:
~/arvados/services/api$ RAILS_ENV=production bundle exec rails server
h3. Production environment
As a Ruby on Rails application, the SSO server should be compatible with any Ruby application server that supports Rack applications. We recommend "Passenger":https://www.phusionpassenger.com/ to run the SSO server in production.