Versions Compared

Old Version 10

changes.mady.by.user Paweł Spychała

Saved on

compared with

New Version 11

changes.mady.by.user Paweł Spychała

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Provided installation guide

The installation procedure has been based on guides prepared for Centos available on https://docs.getindico.io/en/stable/installation/production/centos/

...

To allow users federated login it has to be integrated we choose to configure two external IDPs in which the Indico service provider is registered. One of them is local PSNC SSO - useful for debugging sessions and check proper user attributes mapping. For this purpose, it was prepared a designated realm client that allows configuring OAuth flows for Indico. The second one is client got from registration our test instance of Indico as a service provider in EUROFusion EduTeams. This opens the possibility of logging users using a common widely accessible federated identity provider. This was done by fulfilling the appropriate register request form of the service provider.

Eduteams service provider registration

Email account configuration

An email account is used to communicate with users in some flows that need interaction. It is used for one-way communication, so we do not need to bother with incoming emails. So, we are using email account with configured alias (no-reply@indico-test.eufus.psnc.pl) and configured the service of this email domain.

Communication is used in registration flow (to accept user email addresses users get activation links) or password changing flows.

Configuration

Basic configuration

Code Block
# General settings
SQLALCHEMY_DATABASE_URI = 'postgresql:///indico'
SECRET_KEY = b'_B\x11=\x8e\x8b\x7f\xdd\xf1\xe8>in\xd6\xb8m\xcb\xcf\x86\x05\xc0W\xc3\x02\x03\xb1\x7f\xf8Y\xb4\xa6\\'
BASE_URL = 'https://indico-test.eufus.psnc.pl'
CELERY_BROKER = 'redis://127.0.0.1:6379/0'
REDIS_CACHE_URL = 'redis://127.0.0.1:6379/1'
DEFAULT_TIMEZONE = 'Europe/Warsaw'
DEFAULT_LOCALE = 'en_US'
ENABLE_ROOMBOOKING = False
CACHE_DIR = '/opt/indico/cache'
TEMP_DIR = '/opt/indico/tmp'
LOG_DIR = '/opt/indico/log'
STORAGE_BACKENDS = {'default': 'fs:/opt/indico/archive'}
ATTACHMENT_STORAGE = 'default'

STATIC_FILE_METHOD = ('xaccelredirect', {'/opt/indico': '/.xsf/indico'})

Integration with EduTEAMS

Code Block
...
AUTH_PROVIDERS = {
    'eduteams': {
        'type': 'authlib',
        'title': 'Eurofusion EduTEAMS',
        'authlib_args': {
            'client_id': '##########',
            'client_secret': '##########',
            'server_metadata_url': 'https://proxy.acc.eurofusion.eduteams.org/.well-known/openid-configuration',
            'client_kwargs': {'scope': 'openid email profile'}
        },
        'callback_uri': '/multipass/authlib/eduteams',
        'user_info_endpoint': 'https://proxy.acc.eurofusion.eduteams.org/OIDC/userinfo',
        'use_id_token': False,
    },
	...
	# other authentication provider defs goes here
}

IDENTITY_PROVIDERS = {
    'eduteams': {
        'type': 'authlib',
        'title': 'Eurofusion IDP',
        'mapping': {
            'first_name': 'given_name',
            'last_name': 'family_name',
            'email': 'email'
        },
        'trusted_email': True,
        'synced_fields': {'first_name', 'last_name'}
    },
	# other idps goes here
	...
}

PROVIDER_MAP = {
    'eduteams': 'eduteams',
	...
 	# other idps mappings goes here
 }

Integration with other OIDC IDP provider

Code Block
AUTH_PROVIDERS = {
	...
    'keycloakdev': {
        'type': 'authlib',
        'title': 'Devel KEYCLOAK [test puprose]',
        'authlib_args': {
            'client_id': 'indico-test.eufus.psnc.pl',
            'client_secret': '##########',
            'server_metadata_url': 'https://keycloak-dev.apps.paas-dev.psnc.pl/auth/realms/indico-oneprovider.onedata.edu.pl/.well-known/openid-configuration',
            'client_kwargs': {'scope': 'openid email profile'}
        },
        'callback_uri': '/multipass/authlib/keycloakdev',
        'use_id_token': True,
    }
}

IDENTITY_PROVIDERS = {
	...
    'keycloakdev': {
        'type': 'authlib',
        'title': 'KeycloakDEV IDP',
        'mapping': {
            'first_name': 'given_name',
            'last_name': 'family_name',
            'email': 'email'
        },
        'trusted_email': True,
    }
}

PROVIDER_MAP = {
	...
    'keycloakdev': 'keycloakdev'
}

Email communication

Code Block
# Email settings
SMTP_SERVER = ('smtp.man.poznan.pl', 587)
SMTP_USE_TLS = True
SMTP_LOGIN = '##########'
SMTP_PASSWORD = '##########'
SUPPORT_EMAIL = '############'
PUBLIC_SUPPORT_EMAIL = '##########'
NO_REPLY_EMAIL = 'no-reply@indico-test.eufus.psnc.pl'

SSL certificates

SSL certificates are located in `/etc/letsencrypt/live/indico-test.eufus.psnc.pl/`

...

Configuration of used SSL certificates is described in `/etc/nginx/conf.d/indico.conf`

Indico service maitanance

Restart service:

Code Block
sudo systemctl restart nginx.service indico-celery.service indico-uwsgi.service

...