X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/8e74a5f22b14f26d33c89dadf42600d417094009..d77bf0c67422a259afacc17660698729328a1ed3:/doc/install/install-sso.html.textile.liquid
diff --git a/doc/install/install-sso.html.textile.liquid b/doc/install/install-sso.html.textile.liquid
index 36d2599ea0..aaa6211b46 100644
--- a/doc/install/install-sso.html.textile.liquid
+++ b/doc/install/install-sso.html.textile.liquid
@@ -1,132 +1,209 @@
---
layout: default
navsection: installguide
-title: Install Single Sign On (SSO) server
+title: Install the Single Sign On (SSO) server
...
-h2(#dependencies). Install dependencies
+h2(#dependencies). Install prerequisites
-h3(#install_ruby_and_bundler). Install git and curl
-
-{% include 'install_tools' %}
+The Arvados package repository includes an SSO server package that can help automate much of the deployment.
h3(#install_ruby_and_bundler). Install Ruby and Bundler
{% include 'install_ruby_and_bundler' %}
-h3(#install_postgres). Install PostgreSQL
+h3(#install_web_server). Set up a Web server
+
+For best performance, we recommend you use Nginx as your Web server frontend with a Passenger backend to serve the SSO server. The Passenger team provides "Nginx + Passenger installation instructions":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html.
-{% include 'install_postgres' %}
+Follow the instructions until you see the section that says you are ready to deploy your Ruby application on the production server.
-h2(#install). Install SSO server
+h2(#install). Install the SSO server
-h3. Get SSO server code and run bundle
+On a Debian-based system, install the following package:
~$ cd $HOME # (or wherever you want to install)
-~$ git clone https://github.com/curoverse/sso-devise-omniauth-provider.git
-~$ cd sso-devise-omniauth-provider
-~/sso-devise-omniauth-provider$ bundle install --without=development
-
~$ sudo apt-get install arvados-sso-server
+
+
+
+On a Red Hat-based system, install the following package:
+
+~$ sudo yum install arvados-sso-server
+
+~/sso-devise-omniauth-provider$ cp -i config/application.yml.example config/application.yml
-
/etc/arvados/sso/application.yml
+/etc/arvados/sso/database.yml
+/etc/arvados/sso/production.rb
+
+
+
+The SSO server runs from the @/var/www/arvados-sso/current/@ directory. The files @/var/www/arvados-sso/current/config/application.yml@, @/var/www/arvados-sso/current/config/database.yml@ and @/var/www/arvados-sso/current/config/environments/production.rb@ are symlinked to the configuration files in @/etc/arvados/sso/@.
-The SSO server reads the @config/application.yml@ file, as well as the @config/application.defaults.yml@ file. Values in @config/application.yml@ take precedence over the defaults that are defined in @config/application.defaults.yml@. The @config/application.yml.example@ file is not read by the SSO server and is provided for installation convenience, only.
+The SSO server reads the @config/application.yml@ file, as well as the @config/application.defaults.yml@ file. Values in @config/application.yml@ take precedence over the defaults that are defined in @config/application.defaults.yml@. The @config/application.yml.example@ file is not read by the SSO server and is provided for installation convenience only.
-Consult @config/application.default.yml@ for a full list of configuration options. Local configuration goes in @config/application.yml@, do not edit @config/application.default.yml@.
+Consult @config/application.default.yml@ for a full list of configuration options. Local configuration goes in @/etc/arvados/sso/application.yml@, do not edit @config/application.default.yml@.
h3(#uuid_prefix). uuid_prefix
-Generate a uuid prefix for the single sign on service. This prefix is used to identify user records as originating from this site. It must be exactly 5 alphanumeric characters (lowercase ASCII letters and digits). You may use the following snippet to generate a uuid prefix:
+Generate a uuid prefix for the single sign on service. This prefix is used to identify user records as originating from this site. It must be exactly 5 lowercase ASCII letters and/or digits. You may use the following snippet to generate a uuid prefix:
~/sso-devise-omniauth-provider$ ruby -e 'puts "#{rand(2**64).to_s(36)[0,5]}"'
+~$ ruby -e 'puts "#{rand(2**64).to_s(36)[0,5]}"'
abcde
~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**400).to_s(36)'
+~$ ruby -e 'puts rand(2**400).to_s(36)'
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**128).to_s(36)'
-abcdefghijklmnopqrstuvwxyz012345689
-
~$ sudo service postgresql start
+
+
-Create a new database user with permission to create its own databases.
+On a Red Hat-based system, we also need to initialize the database system:
~/sso-devise-omniauth-provider$ sudo -u postgres createuser --createdb --encrypted -R -S --pwprompt arvados_sso
-Enter password for new role: paste-database-password-you-generated
-Enter it again: paste-database-password-you-generated
+~$ sudo service postgresql initdb
+~$ sudo service postgresql start
+
+
~$ ruby -e 'puts rand(2**128).to_s(36)'
+abcdefghijklmnopqrstuvwxyz012345689
~/sso-devise-omniauth-provider$ cp -i config/database.yml.example config/database.yml
-~/sso-devise-omniauth-provider$ edit config/database.yml
+~$ editor /etc/arvados/sso/database.yml
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:setup
+~$ sudo -u postgres createuser --createdb --encrypted -R -S --pwprompt arvados_sso
+Enter password for new role: paste-database-password-you-generated
+Enter it again: paste-database-password-you-generated
~/sso-devise-omniauth-provider$ sudo -u postgres createdb arvados_sso_production -E UTF8 -O arvados_sso -T template0
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:schema:load
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:seed
+~$ sudo -u postgres createuser --encrypted -R -S --pwprompt arvados_sso
+Enter password for new role: paste-database-password-you-generated
+Enter it again: paste-database-password-you-generated
+~$ sudo -u postgres createdb arvados_sso_production -E UTF8 -O arvados_sso -T template0
~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**400).to_s(36)'
-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rails console
-:001 > c = Client.new
+:001 > c = Client.new
:002 > c.name = "joshid"
:003 > c.app_id = "arvados-server"
-:004 > c.app_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+:004 > c.app_secret = rand(2**400).to_s(36)
+=> "save this string for your API server's sso_app_secret"
:005 > c.save!
:006 > quit
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake assets:precompile
+server {
+ listen 127.0.0.1:8900;
+ server_name localhost-sso;
+
+ root /var/www/arvados-sso/current/public;
+ index index.html;
+
+ passenger_enabled on;
+ # If you're not using RVM, comment out the line below.
+ passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+}
+
+upstream sso {
+ server 127.0.0.1:8900 fail_timeout=10s;
+}
+
+proxy_http_version 1.1;
+
+server {
+ listen [your public IP address]:443 ssl;
+ server_name auth.your.domain;
+
+ ssl on;
+ ssl_certificate /YOUR/PATH/TO/cert.pem;
+ ssl_certificate_key /YOUR/PATH/TO/cert.key;
+
+ index index.html;
+
+ location / {
+ proxy_pass http://sso;
+ proxy_redirect off;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
+}
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rails console
-:001 > user = User.new(:email => "test@example.com")
+:001 > user = User.new(:email => "test@example.com")
:002 > user.password = "passw0rd"
:003 > user.save!
:004 > quit
@@ -191,48 +269,21 @@ h3(#google). Google+ authentication
In order to use Google+ authentication, you must use the Google Developers Console to create a set of client credentials.
-# Go to the Google Developers Console and select or create a project; this will take you to the project page
-# On the sidebar, click on *APIs & auth* then select *APIs*
-## Search for "Contacts API" and click on "Enable API"
-## Search for "Google+ API" and click on "Enable API"
-# On the sidebar, click on *Credentials*; under *OAuth* click on "Create new Client ID" to bring up the "Create Client ID" dialog box
-# Under "Application type" select "Web application"
-# If the authorization origins are not displayed, clicking on "Create Client ID" will take you to *Consent screen* settings.
-## On consent screen settings, enter the appropriate details and click on "Save"
-## This will return you to the "Create Client ID" dialog box.
+# Go to the Google Developers Console and select or create a project; this will take you to the project page.
+# On the sidebar, click on *APIs & auth* then select *APIs*.
+## Search for *Contacts API* and click on *Enable API*.
+## Search for *Google+ API* and click on *Enable API*.
+# On the sidebar, click on *Credentials*; under *OAuth* click on *Create new Client ID* to bring up the *Create Client ID* dialog box.
+# Under *Application type* select *Web application*.
+# If the authorization origins are not displayed, clicking on *Create Client ID* will take you to *Consent screen* settings.
+## On consent screen settings, enter the appropriate details and click on *Save*.
+## This will return you to the *Create Client ID* dialog box.
# You must set the authorization origins. Edit @sso.your-site.com@ to the appropriate hostname that you will use to access the SSO service:
## JavaScript origin should be @https://sso.your-site.com/@
## Redirect URI should be @https://sso.your-site.com/users/auth/google_oauth2/callback@
-# Copy the values of "Client ID" and "Client secret" from the Google Developers Console into the Google section of @config/application.yml@, like this:
+# Copy the values of *Client ID* and *Client secret* from the Google Developers Console into the Google section of @config/application.yml@, like this:
# Google API tokens required for OAuth2 login.
google_oauth2_client_id: "---YOUR---CLIENT---ID---HERE--"-
google_oauth2_client_secret: "---YOUR---CLIENT---SECRET---HERE--"-
-
-h2(#start). Start the SSO server
-
-h3. Run a standalone passenger server
-
-
-~/sso-devise-omniauth-provider$ RAILS_ENV=production passenger start
-=============== Phusion Passenger Standalone web server started ===============
-...
-
-
-
-You can now test your installation by going to the page reported by passenger as "Accessible via: ..."
-
-Note, if you get the following warning "you may safely ignore it:":https://stackoverflow.com/questions/10374871/no-secret-option-provided-to-racksessioncookie-warning
-
-
-Connecting to database specified by database.yml
-App 4574 stderr: SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
-App 4574 stderr: This poses a security threat. It is strongly recommended that you
-App 4574 stderr: provide a secret to prevent exploits that may be possible from crafted
-App 4574 stderr: cookies. This will not be supported in future versions of Rack, and
-App 4574 stderr: future versions will even invalidate your existing user cookies.
-App 4574 stderr:
-App 4574 stderr: Called from: /var/lib/gems/2.1.0/gems/actionpack-3.2.8/lib/action_dispatch/middleware/session/abstract_store.rb:28:in `initialize'.
-App 4592 stdout:
-