X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a04ea95e79c60ed2a54eaec5b5c2e235fe39ef9a..620fb9e0a294f8910ae82c9c38df69976f911c08:/doc/install/install-sso.html.textile.liquid
diff --git a/doc/install/install-sso.html.textile.liquid b/doc/install/install-sso.html.textile.liquid
index 4f6a9771f1..4fe1fb157b 100644
--- a/doc/install/install-sso.html.textile.liquid
+++ b/doc/install/install-sso.html.textile.liquid
@@ -6,52 +6,107 @@ title: Install Single Sign On (SSO) server
h2(#dependencies). Install dependencies
-Make sure you have "Ruby and Bundler":install-manual-prerequisites-ruby.html installed.
+h3(#install_git_curl). Install git and curl
+
+{% include 'install_git_curl' %}
+
+h3(#install_ruby_and_bundler). Install Ruby and Bundler
+
+{% include 'install_ruby_and_bundler' %}
+
+h3(#install_postgres). Install PostgreSQL
+
+{% include 'install_postgres' %}
h2(#install). Install SSO server
-h3. Get SSO server code and create database
+h3. Get SSO server code and run bundle
-~$ cd $HOME # (or wherever you want to install)
~$ git clone https://github.com/curoverse/sso-devise-omniauth-provider.git
~$ cd sso-devise-omniauth-provider
-~/sso-devise-omniauth-provider$ bundle install
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:create
-~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:migrate
-
~/sso-devise-omniauth-provider$ cp -i config/application.yml.example config/application.yml
+
~/sso-devise-omniauth-provider$ cp -i config/initializers/secret_token.rb.example config/initializers/secret_token.rb
-~/sso-devise-omniauth-provider$ rake secret
+
~/sso-devise-omniauth-provider$ ruby -e 'puts "#{rand(2**64).to_s(36)[0,5]}"'
+abcde
+
-~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**400).to_s(36)'
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
-
-~/sso-devise-omniauth-provider$ cp -i config/environments/production.rb.example config/environments/production.rb
-
~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**128).to_s(36)'
+abcdefghijklmnopqrstuvwxyz012345689
+
-Edit @config/environments/production.rb@ to set @config.google_oauth2_client_id@ and @config.google_oauth2_client_secret@. See "Omniauth Google OAuth2 gem documentation":https://github.com/zquestz/omniauth-google-oauth2 and "Using OAuth 2.0 to Access Google APIs":https://developers.google.com/accounts/docs/OAuth2 for information about using the "Google Developers Console":https://console.developers.google.com to get a Google client id and client secret.
+Create a new database user with permission to create its own databases.
-h3(#client). Create arvados-server client
+~/sso-devise-omniauth-provider$ sudo -u postgres createuser --createdb --encrypted -R -S --pwprompt arvados_sso
+Enter password for new role: paste-database-password-you-generated
+Enter it again: paste-database-password-you-generated
+
~/sso-devise-omniauth-provider$ rake secret
+~/sso-devise-omniauth-provider$ cp -i config/database.yml.example config/database.yml
+~/sso-devise-omniauth-provider$ edit config/database.yml
+
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:setup
+
~/sso-devise-omniauth-provider$ sudo -u postgres createdb arvados_sso_production -E UTF8 -O arvados_sso -T template0
+~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:schema:load
+~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake db:seed
+
~/sso-devise-omniauth-provider$ ruby -e 'puts rand(2**400).to_s(36)'
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rails console
:001 > c = Client.new
@@ -63,9 +118,36 @@ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rake assets:precompile
+
++ # If true, allow new creation of new accounts in the SSO server's internal + # user database. + allow_account_registration: false -Instead of relying on an upstream authentication such as Google, you can create accounts on the SSO server manually. + # If true, send an email confirmation before activating new accounts in the + # SSO server's internal user database (otherwise users are activated immediately.) + require_email_confirmation: false ++ +For more information about configuring backend support for sending email (required to send email confirmations) see "Configuring Action Mailer":http://guides.rubyonrails.org/configuring.html#configuring-action-mailer + +If @allow_account_registration@ is false, you may manually create local accounts on the SSO server from the rails console:
~/sso-devise-omniauth-provider$ RAILS_ENV=production bundle exec rails console
@@ -76,26 +158,81 @@ Instead of relying on an upstream authentication such as Google, you can create
+ use_ldap: + title: Example LDAP + host: ldap.example.com + port: 636 + method: ssl + base: "ou=Users, dc=example, dc=com" + uid: uid + email_domain: example.com + #bind_dn: "some_user" + #password: "some_password" ++ +table(table). +|_. Option|_. Description| +|title |Title displayed to the user on the login page| +|host |LDAP server hostname| +|port |LDAP server port| +|method|One of "plain", "ssl", "tls"| +|base |Directory lookup base| +|uid |User id field used for directory lookup| +|email_domain|Strip off specified email domain from login and perform lookup on bare username| +|bind_dn|If required by server, username to log with in before performing directory lookup| +|password|If required by server, password to log with before performing directory lookup| + +h3(#google). Google+ authentication + +In order to use Google+ authentication, you must use the Google Developers Console to create a set of client credentials. + +# Go to the Google Developers Console and select or create a project; this will take you to the project page. +# On the sidebar, click on *APIs & auth* then select *APIs*. +## Search for *Contacts API* and click on *Enable API*. +## Search for *Google+ API* and click on *Enable API*. +# On the sidebar, click on *Credentials*; under *OAuth* click on *Create new Client ID* to bring up the *Create Client ID* dialog box. +# Under *Application type* select *Web application*. +# If the authorization origins are not displayed, clicking on *Create Client ID* will take you to *Consent screen* settings. +## On consent screen settings, enter the appropriate details and click on *Save*. +## This will return you to the *Create Client ID* dialog box. +# You must set the authorization origins. Edit @sso.your-site.com@ to the appropriate hostname that you will use to access the SSO service: +## JavaScript origin should be @https://sso.your-site.com/@ +## Redirect URI should be @https://sso.your-site.com/users/auth/google_oauth2/callback@ +# Copy the values of *Client ID* and *Client secret* from the Google Developers Console into the Google section of @config/application.yml@, like this: -h2. Start the SSO server +
# Google API tokens required for OAuth2 login.
+ google_oauth2_client_id: "---YOUR---CLIENT---ID---HERE--"-
+ google_oauth2_client_secret: "---YOUR---CLIENT---SECRET---HERE--"-
~/arvados/services/api$ RAILS_ENV=production bundle exec rails server
+~/sso-devise-omniauth-provider$ RAILS_ENV=production passenger start
+=============== Phusion Passenger Standalone web server started ===============
+...
+Connecting to database specified by database.yml +App 4574 stderr: SECURITY WARNING: No secret option provided to Rack::Session::Cookie. +App 4574 stderr: This poses a security threat. It is strongly recommended that you +App 4574 stderr: provide a secret to prevent exploits that may be possible from crafted +App 4574 stderr: cookies. This will not be supported in future versions of Rack, and +App 4574 stderr: future versions will even invalidate your existing user cookies. +App 4574 stderr: +App 4574 stderr: Called from: /var/lib/gems/2.1.0/gems/actionpack-3.2.8/lib/action_dispatch/middleware/session/abstract_store.rb:28:in `initialize'. +App 4592 stdout: +