navsection: installguide
title: Install the Single Sign On (SSO) server
...
+{% comment %}
+Copyright (C) The Arvados Authors. All rights reserved.
+
+SPDX-License-Identifier: CC-BY-SA-3.0
+{% endcomment %}
h2(#dependencies). Install prerequisites
h3(#install_ruby_and_bundler). Install Ruby and Bundler
-{% include 'install_ruby_and_bundler' %}
+{% include 'install_ruby_and_bundler_sso' %}
h3(#install_web_server). Set up a Web server
h2(#database). Set up the database
-If PostgreSQL was newly installed as a dependency of the @arvados-sso-server@ package, you will need to start the service.
-
-On a Debian-based system:
-
-<notextile>
-<pre><code>~$ <span class="userinput">sudo service postgresql start</span>
-</code></pre>
-</notextile>
-
-On a Red Hat-based system, we also need to initialize the database system:
-
-<notextile>
-<pre><code>~$ <span class="userinput">sudo service postgresql initdb</span>
-~$ <span class="userinput">sudo service postgresql start</span>
-</code></pre>
-</notextile>
-
-{% include 'notebox_begin' %}
-
-If you are installing on CentOS6, you will need to modify PostgreSQL's configuration to allow password authentication for local users. The default configuration allows 'ident' only. The following commands will make the configuration change, and restart PostgreSQL for it to take effect.
-<br/>
-<notextile>
-<pre><code>~$ <span class="userinput">sudo sed -i -e "s/127.0.0.1\/32 ident/127.0.0.1\/32 md5/" /var/lib/pgsql/data/pg_hba.conf</span>
-~$ <span class="userinput">sudo sed -i -e "s/::1\/128 ident/::1\/128 md5/" /var/lib/pgsql/data/pg_hba.conf</span>
-~$ <span class="userinput">sudo service postgresql restart</span>
-</code></pre>
-</notextile>
-{% include 'notebox_end' %}
-
-
-Next, generate a new database password. Nobody ever needs to memorize it or type it, so make a strong one:
-
-<notextile>
-<pre><code>~$ <span class="userinput">ruby -e 'puts rand(2**128).to_s(36)'</span>
-abcdefghijklmnopqrstuvwxyz012345689
-</code></pre></notextile>
-
-Configure the SSO server to connect to your database by updating @/etc/arvados/sso/database.yml@. Replace the @xxxxxxxx@ database password placeholder with the new password you generated above. Be sure to update the @production@ section.
+Configure the SSO server to connect to your database by updating @/etc/arvados/sso/database.yml@. Replace the @xxxxxxxx@ database password placeholder with the "password you generated during database setup":install-postgresql.html#sso. Be sure to update the @production@ section.
<notextile>
<pre><code>~$ <span class="userinput">editor /etc/arvados/sso/database.yml</span>
</code></pre></notextile>
-Create a new database user with permission to create its own databases.
-
-<notextile>
-<pre><code>~$ <span class="userinput">sudo -u postgres createuser --createdb --encrypted -R -S --pwprompt arvados_sso</span>
-Enter password for new role: <span class="userinput">paste-database-password-you-generated</span>
-Enter it again: <span class="userinput">paste-database-password-you-generated</span>
-</code></pre></notextile>
-
-Rails will take care of creating the database, based on the information from @/etc/arvados/sso/database.yml@.
-
-Alternatively, if the database user you intend to use for the SSO server should not be allowed to create new databases, the user and the database can be created like this:
-
-<notextile>
-<pre><code>~$ <span class="userinput">sudo -u postgres createuser --encrypted -R -S --pwprompt arvados_sso</span>
-Enter password for new role: <span class="userinput">paste-database-password-you-generated</span>
-Enter it again: <span class="userinput">paste-database-password-you-generated</span>
-~$ <span class="userinput">sudo -u postgres createdb arvados_sso_production -E UTF8 -O arvados_sso -T template0</span>
-</code></pre></notextile>
-
h2(#reconfigure_package). Reconfigure the package
-Now that the @/etc/arvados/sso/application.yml@ and @/etc/arvados/sso/database.yml@ files have been updated, we need to reconfigure our installed package. Doing so will create and/or initialize the database and precompile the assets.
-
-On a Debian-based system:
-
-<notextile>
-<pre><code>~$ <span class="userinput">sudo dpkg-reconfigure arvados-sso-server</span>
-</code></pre>
-</notextile>
-
-On a Red Hat-based system, we need to reinstall the package instead:
-
-<notextile>
-<pre><code>~$ <span class="userinput">sudo yum reinstall arvados-sso-server</span>
-</code></pre>
-</notextile>
+{% assign railspkg = "arvados-sso-server" %}
+{% include 'install_rails_reconfigure' %}
h2(#client). Create arvados-server client
-Use @rails console@ to create a @Client@ record that will be used by the Arvados API server. The values of @app_id@ and @app_secret@ correspond to the values for @sso_app_id@ and @sso_app_secret@ in the "API server's SSO settings.":install-api-server.html#omniauth
+{% assign railshost = "" %}
+{% assign railsdir = "/var/www/arvados-sso/current" %}
+Use @rails console@ to create a @Client@ record that will be used by the Arvados API server. {% include 'install_rails_command' %}
+
+Enter the following commands at the console. The values that appear after you assign @app_id@ and @app_secret@ correspond to the values for @sso_app_id@ and @sso_app_secret@, respectively, in the "API server's SSO settings":install-api-server.html#omniauth.
<notextile>
-<pre><code>~$ <span class="userinput">ruby -e 'puts rand(2**400).to_s(36)'</span>
-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-~$ <span class="userinput">RAILS_ENV=production bundle exec rails console</span>
-:001 > <span class="userinput">c = Client.new</span>
+<pre><code>:001 > <span class="userinput">c = Client.new</span>
:002 > <span class="userinput">c.name = "joshid"</span>
:003 > <span class="userinput">c.app_id = "arvados-server"</span>
-:004 > <span class="userinput">c.app_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"</span>
+:004 > <span class="userinput">c.app_secret = rand(2**400).to_s(36)</span>
+=> "<strong>save this string for your API server's sso_app_secret</strong>"
:005 > <span class="userinput">c.save!</span>
:006 > <span class="userinput">quit</span>
</code></pre>
For more information about configuring backend support for sending email (required to send email confirmations) see "Configuring Action Mailer":http://guides.rubyonrails.org/configuring.html#configuring-action-mailer
-If @allow_account_registration@ is false, you may manually create local accounts on the SSO server from the rails console:
+If @allow_account_registration@ is false, you may manually create local accounts on the SSO server from the Rails console. {% include 'install_rails_command' %}
+
+Enter the following commands at the console.
<notextile>
-<pre><code>~$ <span class="userinput">RAILS_ENV=production bundle exec rails console</span>
-:001 > <span class="userinput">user = User.new(:email => "test@example.com")</span>
+<pre><code>:001 > <span class="userinput">user = User.new(:email => "test@example.com")</span>
:002 > <span class="userinput">user.password = "passw0rd"</span>
:003 > <span class="userinput">user.save!</span>
:004 > <span class="userinput">quit</span>
# If the authorization origins are not displayed, clicking on *Create Client ID* will take you to *Consent screen* settings.
## On consent screen settings, enter the appropriate details and click on *Save*.
## This will return you to the *Create Client ID* dialog box.
-# You must set the authorization origins. Edit @sso.your-site.com@ to the appropriate hostname that you will use to access the SSO service:
-## JavaScript origin should be @https://sso.your-site.com/@
-## Redirect URI should be @https://sso.your-site.com/users/auth/google_oauth2/callback@
+# You must set the authorization origins. Edit @auth.your.domain@ to the appropriate hostname that you will use to access the SSO service:
+## JavaScript origin should be @https://auth.your.domain/@
+## Redirect URI should be @https://auth.your.domain/users/auth/google_oauth2/callback@
# Copy the values of *Client ID* and *Client secret* from the Google Developers Console into the Google section of @config/application.yml@, like this:
<notextile>
<pre><code> # Google API tokens required for OAuth2 login.
google_oauth2_client_id: <span class="userinput">"---YOUR---CLIENT---ID---HERE--"-</span>
google_oauth2_client_secret: <span class="userinput">"---YOUR---CLIENT---SECRET---HERE--"-</span></code></pre></notextile>
-
-
projects / arvados.git / blobdiff