--- layout: default navsection: installguide title: Install the Single Sign On (SSO) server ... {% comment %} Copyright (C) The Arvados Authors. All rights reserved. SPDX-License-Identifier: CC-BY-SA-3.0 {% endcomment %} # "Install dependencies":#dependencies # "Set up database":#database-setup # "Update config.yml":#update-config # "Configure the SSO server":#create-application-yml # "Update Nginx configuration":#update-nginx # "Install arvados-sso-server":#install-packages # "Create arvados-server client record":#client # "Restart the API server and controller":#restart-api h2(#dependencies). Install dependencies # "Install PostgreSQL":install-postgresql.html # "Install Ruby and Bundler":ruby.html Important! The Single Sign On server only supports Ruby 2.3, to avoid version conflicts we recommend installing it on a different server from the API server. When installing Ruby, ensure that you get the right version by installing the "ruby2.3" package, or by using RVM with @--ruby=2.3@ # "Install nginx":nginx.html # "Install Phusion Passenger":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html h2(#database-setup). Set up the database {% assign service_role = "arvados_sso" %} {% assign service_database = "arvados_sso_production" %} {% assign use_contrib = false %} {% include 'install_postgres_database' %} Now create @/etc/arvados/sso/database.yml@
production: adapter: postgresql encoding: utf8 database: arvados_sso_production username: arvados_sso password: $password host: localhost template: template0h2(#update-config). Update config.yml
Services: SSO: ExternalURL: auth.ClusterID.example.com Login: ProviderAppID: "arvados-server" ProviderAppSecret: $app_secretGenerate @ProviderAppSecret@:
~$ ruby -e 'puts rand(2**400).to_s(36)'
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
production: uuid_prefix: xxxxx secret_token: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzh3(#uuid_prefix). uuid_prefix Most of the time, you want this to be the same as your @ClusterID@. If not, generate a new one from the command line listed previously. h3(#secret_token). secret_token Generate a new secret token for signing cookies:
~$ ruby -e 'puts rand(2**400).to_s(36)'
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
# If true, allow new creation of new accounts in the SSO server's internal # user database. allow_account_registration: false # If true, send an email confirmation before activating new accounts in the # SSO server's internal user database (otherwise users are activated immediately.) require_email_confirmation: falseFor more information about configuring backend support for sending email (required to send email confirmations) see "Configuring Action Mailer":http://guides.rubyonrails.org/configuring.html#configuring-action-mailer If @allow_account_registration@ is false, you may manually create local accounts on the SSO server from the Rails console. {% include 'install_rails_command' %} Enter the following commands at the console.
:001 > user = User.new(:email => "test@example.com")
:002 > user.password = "passw0rd"
:003 > user.save!
:004 > quit
use_ldap: title: Example LDAP host: ldap.example.com port: 636 method: ssl base: "ou=Users, dc=example, dc=com" uid: uid email_domain: example.com #bind_dn: "some_user" #password: "some_password"table(table). |_. Option|_. Description| |title |Title displayed to the user on the login page| |host |LDAP server hostname| |port |LDAP server port| |method|One of "plain", "ssl", "tls"| |base |Directory lookup base| |uid |User id field used for directory lookup| |email_domain|Strip off specified email domain from login and perform lookup on bare username| |bind_dn|If required by server, username to log with in before performing directory lookup| |password|If required by server, password to log with before performing directory lookup| h4(#google). Google authentication First, visit "Setting up Google auth.":google-auth.html Next, copy the values of *Client ID* and *Client secret* from the Google Developers Console into the Google section of @config/application.yml@, like this:
# Google API tokens required for OAuth2 login.
google_oauth2_client_id: "---YOUR---CLIENT---ID---HERE--"-
google_oauth2_client_secret: "---YOUR---CLIENT---SECRET---HERE--"-
server {
listen auth.ClusterID.example.com:443 ssl;
server_name auth.ClusterID.example.com;
ssl on;
ssl_certificate /TODO/YOUR/PATH/TO/cert.pem;
ssl_certificate_key /TODO/YOUR/PATH/TO/cert.key;
root /var/www/arvados-sso/current/public;
index index.html;
passenger_enabled on;
# TODO: If you are using RVM, uncomment the line below.
# If you're using system ruby, leave it commented out.
#passenger_ruby /usr/local/rvm/wrappers/default/ruby;
}
# yum install arvados-sso-server
# apt-get --no-install-recommends arvados-sso-server
:001 > c = Client.new
:002 > c.name = "joshid"
:003 > c.app_id = "arvados-server"
:004 > c.app_secret = "the value of Login.ProviderAppSecret"
:005 > c.save!
:006 > quit
# systemctl restart nginx arvados-controller