Provided installation guide
The installation procedure has been based on guides prepared for Centos available on https://docs.getindico.io/en/stable/installation/production/centos/
Initial steps
The Indico service has to be deployed on some machine. It was chosen to run it on OpenStack virtual machine with Centos 7 as an OS.
...
To allow users federated login it has to be integrated we choose to configure two external IDPs in which the Indico service provider is registered. One of them is local PSNC SSO - useful for debugging sessions and check proper user attributes mapping. For this purpose, it was prepared a designated realm client that allows configuring OAuth flows for Indico. The second one is client got from registration our test instance of Indico as a service provider in EUROFusion EduTeams. This opens the possibility of logging users using a common widely accessible federated identity provider. This was done by fulfilling the appropriate register request form of the service provider.
Eduteams service provider registration
Email account configuration
An email account is used to communicate with users in some flows that need interaction. It is used for one-way communication, so we do not need to bother with incoming emails. So, we are using email account with configured alias (no-reply@indico-test.eufus.psnc.pl) and configured the service of this email domain.
Communication is used in registration flow (to accept user email addresses users get activation links) or password changing flows.
Configuration
Basic configuration
Code Block |
---|
# General settings SQLALCHEMY_DATABASE_URI = 'postgresql:///indico' SECRET_KEY = b'_B\x11=\x8e\x8b\x7f\xdd\xf1\xe8>in\xd6\xb8m\xcb\xcf\x86\x05\xc0W\xc3\x02\x03\xb1\x7f\xf8Y\xb4\xa6\\' BASE_URL = 'https://indico-test.eufus.psnc.pl' CELERY_BROKER = 'redis://127.0.0.1:6379/0' REDIS_CACHE_URL = 'redis://127.0.0.1:6379/1' DEFAULT_TIMEZONE = 'Europe/Warsaw' DEFAULT_LOCALE = 'en_US' ENABLE_ROOMBOOKING = False CACHE_DIR = '/opt/indico/cache' TEMP_DIR = '/opt/indico/tmp' LOG_DIR = '/opt/indico/log' STORAGE_BACKENDS = {'default': 'fs:/opt/indico/archive'} ATTACHMENT_STORAGE = 'default' STATIC_FILE_METHOD = ('xaccelredirect', {'/opt/indico': '/.xsf/indico'}) |
Integration with EduTEAMS
Code Block |
---|
... AUTH_PROVIDERS = { 'eduteams': { 'type': 'authlib', 'title': 'Eurofusion EduTEAMS', 'authlib_args': { 'client_id': '##########', 'client_secret': '##########', 'server_metadata_url': 'https://proxy.acc.eurofusion.eduteams.org/.well-known/openid-configuration', 'client_kwargs': {'scope': 'openid email profile'} }, 'callback_uri': '/multipass/authlib/eduteams', 'user_info_endpoint': 'https://proxy.acc.eurofusion.eduteams.org/OIDC/userinfo', 'use_id_token': False, }, ... # other authentication provider defs goes here } IDENTITY_PROVIDERS = { 'eduteams': { 'type': 'authlib', 'title': 'Eurofusion IDP', 'mapping': { 'first_name': 'given_name', 'last_name': 'family_name', 'email': 'email' }, 'trusted_email': True, 'synced_fields': {'first_name', 'last_name'} }, # other idps goes here ... } PROVIDER_MAP = { 'eduteams': 'eduteams', ... # other idps mappings goes here } |
Integration with other OIDC IDP provider
Code Block |
---|
AUTH_PROVIDERS = { ... 'keycloakdev': { 'type': 'authlib', 'title': 'Devel KEYCLOAK [test puprose]', 'authlib_args': { 'client_id': 'indico-test.eufus.psnc.pl', 'client_secret': '##########', 'server_metadata_url': 'https://keycloak-dev.apps.paas-dev.psnc.pl/auth/realms/indico-oneprovider.onedata.edu.pl/.well-known/openid-configuration', 'client_kwargs': {'scope': 'openid email profile'} }, 'callback_uri': '/multipass/authlib/keycloakdev', 'use_id_token': True, } } IDENTITY_PROVIDERS = { ... 'keycloakdev': { 'type': 'authlib', 'title': 'KeycloakDEV IDP', 'mapping': { 'first_name': 'given_name', 'last_name': 'family_name', 'email': 'email' }, 'trusted_email': True, } } PROVIDER_MAP = { ... 'keycloakdev': 'keycloakdev' } |
Email communication
Code Block |
---|
# Email settings SMTP_SERVER = ('smtp.man.poznan.pl', 587) SMTP_USE_TLS = True SMTP_LOGIN = '##########' SMTP_PASSWORD = '##########' SUPPORT_EMAIL = '############' PUBLIC_SUPPORT_EMAIL = '##########' NO_REPLY_EMAIL = 'no-reply@indico-test.eufus.psnc.pl' |
SSL certificates
SSL certificates are located in `/etc/letsencrypt/live/indico-test.eufus.psnc.pl/`
...
Configuration of used SSL certificates is described in `/etc/nginx/conf.d/indico.conf`
Indico service maitanance
Restart service:
Code Block |
---|
sudo systemctl restart nginx.service indico-celery.service indico-uwsgi.service |
...