--- layout: default navsection: installguide title: Install Single Sign On (SSO) server ... h2(#dependencies). Install dependencies h3(#install_git_curl). Install git and curl {% include 'install_git_curl' %} h3(#install_ruby_and_bundler). Install Ruby and Bundler {% include 'install_ruby_and_bundler' %} h3(#install_postgres). Install PostgreSQL {% include 'install_postgres' %} h2(#install). Install SSO server h3. Get SSO server code and run bundle

~$ cd $HOME # (or wherever you want to install)
~$ git clone https://github.com/curoverse/sso-devise-omniauth-provider.git
~$ cd sso-devise-omniauth-provider
~/sso-devise-omniauth-provider$ bundle install --without=development

h2. Configure the SSO server First, copy the example configuration file:

~/sso-devise-omniauth-provider$ cp -i config/application.yml.example config/application.yml

The SSO server reads the @config/application.yml@ file, as well as the @config/application.defaults.yml@ file. Values in @config/application.yml@ take precedence over the defaults that are defined in @config/application.defaults.yml@. The @config/application.yml.example@ file is not read by the SSO server and is provided for installation convenience only. Consult @config/application.default.yml@ for a full list of configuration options. Local configuration goes in @config/application.yml@, do not edit @config/application.default.yml@. h3(#uuid_prefix). uuid_prefix Generate a uuid prefix for the single sign on service. This prefix is used to identify user records as originating from this site. It must be exactly 5 lowercase ASCII letters and/or digits. You may use the following snippet to generate a uuid prefix:

~/sso-devise-omniauth-provider$ ruby -e 'puts "#{rand(2**64).to_s(36)[0,5]}"'
abcde

Edit @config/application.yml@ and set @uuid_prefix@ in the "common" section. h3(#secret_token). secret_token Generate a new secret token for signing cookies:

~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**400).to_s(36)'
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

Edit @config/application.yml@ and set @secret_token@ in the "common" section. h2(#database). Set up the database Generate a new database password. Nobody ever needs to memorize it or type it, so make a strong one:

~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**128).to_s(36)'
abcdefghijklmnopqrstuvwxyz012345689

Create a new database user with permission to create its own databases.

~/sso-devise-omniauth-provider$ sudo -u postgres createuser --createdb --encrypted -R -S --pwprompt arvados_sso
Enter password for new role: paste-database-password-you-generated
Enter it again: paste-database-password-you-generated

Configure SSO server to connect to your database by creating and updating @config/database.yml@. Replace the @xxxxxxxx@ database password placeholders with the new password you generated above. If you are planning a production system, update the @production@ section, otherwise use @development@.

~/sso-devise-omniauth-provider$ cp -i config/database.yml.example config/database.yml
~/sso-devise-omniauth-provider$ edit config/database.yml

Create and initialize the database. If you are planning a production system, choose the @production@ rails environment, otherwise use @development@.

~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:setup

Alternatively, if the database user you intend to use for the SSO server is not allowed to create new databases, you can create the database first and then populate it with rake. Be sure to adjust the database name if you are using the @development@ environment. This sequence of commands is functionally equivalent to the rake db:setup command above:

~/sso-devise-omniauth-provider$ sudo -u postgres createdb arvados_sso_production -E UTF8 -O arvados_sso -T template0
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:schema:load
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:seed

h2(#client). Create arvados-server client Use @rails console@ to create a @Client@ record that will be used by the Arvados API server. The values of @app_id@ and @app_secret@ correspond to the values for @sso_app_id@ and @sso_app_secret@ in the "API server's SSO settings.":install-api-server.html#omniauth

~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**400).to_s(36)'
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rails console
:001 > c = Client.new
:002 > c.name = "joshid"
:003 > c.app_id = "arvados-server"
:004 > c.app_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
:005 > c.save!
:006 > quit

h2(#assets). Precompile assets If you are running in the production environment, you must precompile the assets:

~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake assets:precompile

h2(#authentication_methods). Authentication methods Authentication methods are configured in @application.yml@. Currently three authentication methods are supported: local accounts, LDAP, and Google+. If neither Google+ nor LDAP are enabled, the SSO server defaults to local user accounts. Only one authentication mechanism should be in use at a time. h3(#local_accounts). Local account authentication There are two configuration options for local accounts:

  # If true, allow new creation of new accounts in the SSO server's internal
  # user database.
  allow_account_registration: false

  # If true, send an email confirmation before activating new accounts in the
  # SSO server's internal user database (otherwise users are activated immediately.)
  require_email_confirmation: false

For more information about configuring backend support for sending email (required to send email confirmations) see "Configuring Action Mailer":http://guides.rubyonrails.org/configuring.html#configuring-action-mailer If @allow_account_registration@ is false, you may manually create local accounts on the SSO server from the rails console:

~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rails console
:001 > user = User.new(:email => "test@example.com")
:002 > user.password = "passw0rd"
:003 > user.save!
:004 > quit

h3(#ldap). LDAP authentication The following options are available to configure LDAP authentication. Note that you must preserve the indentation of the fields listed under @use_ldap@.

  use_ldap:
    title: Example LDAP
    host: ldap.example.com
    port: 636
    method: ssl
    base: "ou=Users, dc=example, dc=com"
    uid: uid
    email_domain: example.com
    #bind_dn: "some_user"
    #password: "some_password"

table(table). |_. Option|_. Description| |title |Title displayed to the user on the login page| |host |LDAP server hostname| |port |LDAP server port| |method|One of "plain", "ssl", "tls"| |base |Directory lookup base| |uid |User id field used for directory lookup| |email_domain|Strip off specified email domain from login and perform lookup on bare username| |bind_dn|If required by server, username to log with in before performing directory lookup| |password|If required by server, password to log with before performing directory lookup| h3(#google). Google+ authentication In order to use Google+ authentication, you must use the Google Developers Console to create a set of client credentials. # Go to the Google Developers Console and select or create a project; this will take you to the project page. # On the sidebar, click on *APIs & auth* then select *APIs*. ## Search for *Contacts API* and click on *Enable API*. ## Search for *Google+ API* and click on *Enable API*. # On the sidebar, click on *Credentials*; under *OAuth* click on *Create new Client ID* to bring up the *Create Client ID* dialog box. # Under *Application type* select *Web application*. # If the authorization origins are not displayed, clicking on *Create Client ID* will take you to *Consent screen* settings. ## On consent screen settings, enter the appropriate details and click on *Save*. ## This will return you to the *Create Client ID* dialog box. # You must set the authorization origins. Edit @sso.your-site.com@ to the appropriate hostname that you will use to access the SSO service: ## JavaScript origin should be @https://sso.your-site.com/@ ## Redirect URI should be @https://sso.your-site.com/users/auth/google_oauth2/callback@ # Copy the values of *Client ID* and *Client secret* from the Google Developers Console into the Google section of @config/application.yml@, like this:

  # Google API tokens required for OAuth2 login.
  google_oauth2_client_id: "---YOUR---CLIENT---ID---HERE--"-
  google_oauth2_client_secret: "---YOUR---CLIENT---SECRET---HERE--"-

h2(#start). Set up a Web server For best performance, we recommend you use Nginx as your Web server front-end, with a Passenger backend to serve the SSO server. To do that:

Install Nginx and Phusion Passenger.

Edit the http section of your Nginx configuration to run the Passenger server, and act as a front-end for it. You might add a block like the following, adding SSL and logging parameters to taste:

server {
  listen 127.0.0.1:8900;
  server_name localhost-sso;

  root   /YOUR/PATH/TO/sso-devise-omniauth-provider/public;
  index  index.html index.htm index.php;

  passenger_enabled on;
  # If you're using RVM, uncomment the line below.
  #passenger_ruby /usr/local/rvm/wrappers/default/ruby;
}

upstream sso {
  server     127.0.0.1:8900  fail_timeout=10s;
}

proxy_http_version 1.1;

server {
  listen       [your public IP address]:443 ssl;
  server_name  auth.your.domain;

  ssl on;
  ssl_certificate     /YOUR/PATH/TO/cert.pem;
  ssl_certificate_key /YOUR/PATH/TO/cert.key;

  index  index.html index.htm index.php;

  location / {
    proxy_pass            http://sso;
    proxy_redirect        off;
    proxy_connect_timeout 90s;
    proxy_read_timeout    300s;

    proxy_set_header      X-Forwarded-Proto https;
    proxy_set_header      Host $http_host;
    proxy_set_header      X-Real-IP $remote_addr;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

Restart Nginx.

{% include 'notebox_begin' %} If you see the following warning "you may safely ignore it":https://stackoverflow.com/questions/10374871/no-secret-option-provided-to-racksessioncookie-warning:

SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
This poses a security threat. It is strongly recommended that you
provide a secret to prevent exploits that may be possible from crafted
cookies. This will not be supported in future versions of Rack, and
future versions will even invalidate your existing user cookies.

Called from: /var/lib/gems/2.1.0/gems/actionpack-3.2.8/lib/action_dispatch/middleware/session/abstract_store.rb:28:in `initialize'.

{% include 'notebox_end' %}