Versions Compared

Old Version 1

changes.mady.by.user Paweł Spychała

Saved on

compared with

New Version Current

changes.mady.by.user Paweł Spychała

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

INDICO test instance has been deployed on a dedicated OpenStack virtual machine for testing purposes and referential integration with EUROFusion EduTeams. This test instance is available on https://indico-test.eufus.psnc.pl

...

Provided installation guide

The installation procedure has been based on guides prepared for Centos available on https://docs.getindico.io/en/stable/installation/production/centos/

Initial steps

The Indico service has to be deployed on some machine. It was chosen to run it on OpenStack virtual machine with Centos 7 as an OS.

For accessing it target domain was chosen and registered for this VM. It is set to https://indico-test.eufus.psnc.pl/To perform integration of external identity provider to onboard users co

SSL certificates are used from Lets Encrypt and it is configured to be refreshed using certbot.

For full configuration of the Indico service we need at least an email address with propper email domain. That account has to be used then in Indico configuration. The test instance uses email account served by PSNC for specially created ldap user account and registered email domain with ldap account alias connected with it (just for sending emails, inbox messages are omitted).

To allow users federated login it has to be integrated we choose to configure two external IDPs in which the Indico service provider is registered. One of them is local PSNC SSO - useful for debugging sessions and check proper user attributes mapping. For this purpose, it was prepared a designated realm client that allows configuring OAuth flows for Indico. The second one is client got from registration our test instance of Indico as a service provider in EUROFusion EduTeams. This opens the possibility of logging users using a common widely accessible federated identity provider. This was done by fulfilling the appropriate register request form of the service provider.

Eduteams service provider registration

Email account configuration

An email account is used to communicate with users in some flows that need interaction. It is used for one-way communication, so we do not need to bother with incoming emails. So, we are using email account with configured alias (no-reply@indico-test.eufus.psnc.pl) and configured the service of this email domain.

Communication is used in registration flow (to accept user email addresses users get activation links) or password changing flows.

Configuration

Basic configuration

Code Block
# General settings
SQLALCHEMY_DATABASE_URI = 'postgresql:///indico'
SECRET_KEY = b'_B\x11=\x8e\x8b\x7f\xdd\xf1\xe8>in\xd6\xb8m\xcb\xcf\x86\x05\xc0W\xc3\x02\x03\xb1\x7f\xf8Y\xb4\xa6\\'
BASE_URL = 'https://indico-test.eufus.psnc.pl'
CELERY_BROKER = 'redis://127.0.0.1:6379/0'
REDIS_CACHE_URL = 'redis://127.0.0.1:6379/1'
DEFAULT_TIMEZONE = 'Europe/Warsaw'
DEFAULT_LOCALE = 'en_US'
ENABLE_ROOMBOOKING = False
CACHE_DIR = '/opt/indico/cache'
TEMP_DIR = '/opt/indico/tmp'
LOG_DIR = '/opt/indico/log'
STORAGE_BACKENDS = {'default': 'fs:/opt/indico/archive'}
ATTACHMENT_STORAGE = 'default'

# Email settings
SMTP_SERVER = ('smtp.man.poznan.pl', 587)
SMTP_USE_TLS = True
SMTP_LOGIN = '##########'
SMTP_PASSWORD = '##########'
SUPPORT_EMAIL = '############'
PUBLIC_SUPPORT_EMAIL = '##########'
NO_REPLY_EMAIL = 'no-reply@indico-test.eufus.psnc.pl'

STATIC_FILE_METHOD = ('xaccelredirect', {'/opt/indico': '/.xsf/indico'})

Integration with EduTEAMS

Code Block
...
AUTH_PROVIDERS = {
    'eduteams': {
        'type': 'authlib',
        'title': 'Eurofusion EduTEAMS',
        'authlib_args': {
            'client_id': '##########',
            'client_secret': '##########',
            'server_metadata_url': 'https://proxy.acc.eurofusion.eduteams.org/.well-known/openid-configuration',
            'client_kwargs': {'scope': 'openid email profile'}
        },
        'callback_uri': '/multipass/authlib/eduteams',
        'user_info_endpoint': 'https://proxy.acc.eurofusion.eduteams.org/OIDC/userinfo',
        'use_id_token': False,
    },
	...
	# other authentication provider defs goes here
}

IDENTITY_PROVIDERS = {
    'keycloakdeveduteams': {
        'type': 'authlib',
        'title': 'Devel KEYCLOAK [test puprose]Eurofusion IDP',
        'authlib_argsmapping': {
            'clientfirst_idname': 'indico-test.eufus.psnc.plgiven_name',
            'clientlast_secretname': '##########family_name',
            'server_metadata_urlemail': 'https://keycloak-dev.apps.paas-dev.psnc.pl/auth/realms/indico-oneprovider.onedata.edu.pl/.well-known/openid-configuration'email'
        },
        'trusted_email': True,
        'clientsynced_kwargsfields': {'scopefirst_name':, 'openid email profilelast_name'}
    },
	# other idps goes },
    here
	...
}

PROVIDER_MAP = {
    'callback_urieduteams': '/multipass/authlib/keycloakdeveduteams',
	...
 	# other idps mappings goes here
 }

Integration with other OIDC IDP provider

Code Block
AUTH   'use_id_token': True,
    }
}

IDENTITY_PROVIDERS = {
	...
    'eduteamskeycloakdev': {
        'type': 'authlib',
        'title': 'Eurofusion IDPDevel KEYCLOAK [test puprose]',
        'mappingauthlib_args': {
            'firstclient_nameid': 'given_name'indico-test.eufus.psnc.pl',
            'client_secret': '##########',
            'lastserver_metadata_nameurl': 'family_namehttps://keycloak-dev.apps.paas-dev.psnc.pl/auth/realms/indico-oneprovider.onedata.edu.pl/.well-known/openid-configuration',
            'client_kwargs': {'emailscope': 'openid email profile'}
        },
        'trustedcallback_emailuri': True'/multipass/authlib/keycloakdev',
        'synceduse_id_fieldstoken': {'first_name', 'last_name'}True,
    },}
}

IDENTITY_PROVIDERS = {
	...
    'keycloakdev': {
        'type': 'authlib',
        'title': 'KeycloakDEV IDP',
        'mapping': {
            'first_name': 'given_name',
            'last_name': 'family_name',
            'email': 'email'
        },
        'trusted_email': True,
    }
}

PROVIDER_MAP = {
	...
    'eduteamskeycloakdev': 'keycloakdev'
}

Email communication

Code Block
# Email settings
SMTP_SERVER 'eduteams= ('smtp.man.poznan.pl', 587)
SMTP_USE_TLS = True
SMTP_LOGIN = '##########'
SMTP_PASSWORD = 'keycloakdev': 'keycloakdev'
}

Eduteams service provider registration

##########'
SUPPORT_EMAIL = '############'
PUBLIC_SUPPORT_EMAIL = '##########'
NO_REPLY_EMAIL = 'no-reply@indico-test.eufus.psnc.pl'

SSL certificates

SSL certificates are located in `/etc/letsencrypt/live/indico-test.eufus.psnc.pl/`

Obtaining a new SSL certificate based on certbot

Code Block
sudo certbot --nginx --rsa-key-size 4096 --no-redirect --staple-ocsp -d indico-test.eufus.psnc.pl

Obtained certificates are located in `/etc/letsencrypt/live/indico-test.eufus.psnc.pl/` directory.

Configuration of used SSL certificates is described in `/etc/nginx/conf.d/indico.conf`

Indico service maitanance

Restart service:

Code Block
sudo systemctl restart nginx.service indico-celery.service indico-uwsgi.service

Using Indico shell (useful for debugging sessions)

Code Block
(indico) [indico@oneprovider ~]$ . .venv/bin/activate
(indico) [indico@oneprovider ~]$ indico shell
Indico v3.0.3 is ready for your commands
In [1]:

...