X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/f01f7eebfe771300be72d1bec5b4fab664138feb..eee302a3157296bccf40e9b83f52c2952294a04e:/doc/install/setup-login.html.textile.liquid
diff --git a/doc/install/setup-login.html.textile.liquid b/doc/install/setup-login.html.textile.liquid
index 069519a26d..aec82cfe2a 100644
--- a/doc/install/setup-login.html.textile.liquid
+++ b/doc/install/setup-login.html.textile.liquid
@@ -12,17 +12,28 @@ SPDX-License-Identifier: CC-BY-SA-3.0
Select one of the following login mechanisms for your cluster.
# If all users will authenticate with Google, "configure Google login":#google.
+# If all users will authenticate with an OpenID Connect provider (other than Google), "configure OpenID Connect":#oidc.
# If all users will authenticate with an existing LDAP service, "configure LDAP":#ldap.
# If all users will authenticate using PAM as configured on your controller node, "configure PAM":#pam.
-# If you need to enable multiple authentication methods, "configure a separate single sign-on (SSO) server":#sso.
h2(#google). Google login
With this configuration, users will sign in with their Google accounts.
-First, visit "Setting up Google auth.":google-auth.html
-
-Next, enable Google login and copy the values of *Client ID* and *Client secret* from the Google Developers Console into the @Login.Google@ section of @config.yml@:
+Use the Google Developers Console to create a set of client credentials.
+# Select or create a project.
+# Click *+ Enable APIs and Services*.
+#* Search for *People API* and click *Enable API*.
+#* Navigate back to the main "APIs & Services" page.
+# On the sidebar, click *OAuth consent screen*.
+#* On consent screen settings, enter your identifying details.
+#* Under *Authorized domains* add your domain (@example.com@).
+#* Click *Save*.
+# On the sidebar, click *Credentials*, then click *Create credentials*→*OAuth client ID*
+# Under *Application type* select *Web application*.
+# Add the JavaScript origin: @https://ClusterID.example.com/@
+# Add the Redirect URI: @https://ClusterID.example.com/login@
+# Copy the values of *Client ID* and *Client secret* to the @Login.Google@ section of @config.yml@.
Login:
@@ -32,6 +43,21 @@ Next, enable Google login and copy the values of *Client ID* and *Client secret*
ClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz"
+h2(#oidc). OpenID Connect
+
+With this configuration, users will sign in with a third-party OpenID Connect provider. The provider will supply appropriate values for the issuer URL, client ID, and client secret config entries.
+
+
+ Login:
+ OpenIDConnect:
+ Enable: true
+ Issuer: https://accounts.example.com/
+ ClientID: "0123456789abcdef"
+ ClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz"
+
+
+Check the OpenIDConnect section in the "default config file":{{site.baseurl}}/admin/config.html for more details and configuration options.
+
h2(#ldap). LDAP
With this configuration, authentication uses an external LDAP service like OpenLDAP or Active Directory.
@@ -77,9 +103,3 @@ The default PAM configuration on most Linux systems uses the local password data
PAM can also be configured to use different backends like LDAP. In a production environment, PAM configuration should use the service name ("arvados" by default) to set a separate policy for Arvados logins: generally, Arvados users should not have shell accounts on the controller node.
For information about configuring PAM, refer to the "PAM System Administrator's Guide":http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html.
-
-h2(#sso). Separate single-sign-on (SSO) server
-
-With this configuration, Arvados passes off authentication to a separate SSO server that supports Google, LDAP, and a local password database.
-
-See "Install the Single Sign On (SSO) server":install-sso.html