1. Provided installation guide
The installation procedure has been based on guides prepared for Centos available on https://docs.getindico.io/en/stable/installation/production/centos/
Initial steps
The Indico service has to be deployed on some machine. It was chosen to run it on OpenStack virtual machine with Centos 7 as an OS.
For accessing it target domain was chosen and registered for this VM. It is set to https://indico-test.eufus.psnc.pl/
SSL certificates are used from Lets Encrypt and it is configured to be refreshed using certbot.
For full configuration of the Indico service we need at least an email address with propper email domain. That account has to be used then in Indico configuration. The test instance uses email account served by PSNC for specially created ldap user account and registered email domain with ldap account alias connected with it (just for sending emails, inbox messages are omitted).
To allow users federated login it has to be integrated we choose to configure two external IDPs in which the Indico service provider is registered. One of them is local PSNC SSO - useful for debugging sessions and check proper user attributes mapping. For this purpose, it was prepared a designated realm client that allows configuring OAuth flows for Indico. The second one is client got from registration our test instance of Indico as a service provider in EUROFusion EduTeams. This opens the possibility of logging users using a common widely accessible federated identity provider. This was done by fulfilling the appropriate register request form of the service provider.
1.1. Eduteams service provider registration
1.2. Email account configuration
An email account is used to communicate with users in some flows that need interaction. It is used for one-way communication, so we do not need to bother with incoming emails. So, we are using email account with configured alias (no-reply@indico-test.eufus.psnc.pl) and configured the service of this email domain.
Communication is used in registration flow (to accept user email addresses users get activation links) or password changing flows.
1.3. Configuration
1.4. Basic configuration
# General settings
SQLALCHEMY_DATABASE_URI = 'postgresql:///indico'
SECRET_KEY = b'_B\x11=\x8e\x8b\x7f\xdd\xf1\xe8>in\xd6\xb8m\xcb\xcf\x86\x05\xc0W\xc3\x02\x03\xb1\x7f\xf8Y\xb4\xa6\\'
BASE_URL = 'https://indico-test.eufus.psnc.pl'
CELERY_BROKER = 'redis://127.0.0.1:6379/0'
REDIS_CACHE_URL = 'redis://127.0.0.1:6379/1'
DEFAULT_TIMEZONE = 'Europe/Warsaw'
DEFAULT_LOCALE = 'en_US'
ENABLE_ROOMBOOKING = False
CACHE_DIR = '/opt/indico/cache'
TEMP_DIR = '/opt/indico/tmp'
LOG_DIR = '/opt/indico/log'
STORAGE_BACKENDS = {'default': 'fs:/opt/indico/archive'}
ATTACHMENT_STORAGE = 'default'
STATIC_FILE_METHOD = ('xaccelredirect', {'/opt/indico': '/.xsf/indico'})
1.5. Integration with EduTEAMS
...
AUTH_PROVIDERS = {
'eduteams': {
'type': 'authlib',
'title': 'Eurofusion EduTEAMS',
'authlib_args': {
'client_id': '##########',
'client_secret': '##########',
'server_metadata_url': 'https://proxy.acc.eurofusion.eduteams.org/.well-known/openid-configuration',
'client_kwargs': {'scope': 'openid email profile'}
},
'callback_uri': '/multipass/authlib/eduteams',
'user_info_endpoint': 'https://proxy.acc.eurofusion.eduteams.org/OIDC/userinfo',
'use_id_token': False,
},
...
# other authentication provider defs goes here
}
IDENTITY_PROVIDERS = {
'eduteams': {
'type': 'authlib',
'title': 'Eurofusion IDP',
'mapping': {
'first_name': 'given_name',
'last_name': 'family_name',
'email': 'email'
},
'trusted_email': True,
'synced_fields': {'first_name', 'last_name'}
},
# other idps goes here
...
}
PROVIDER_MAP = {
'eduteams': 'eduteams',
...
# other idps mappings goes here
}
1.6. Integration with other OIDC IDP provider
AUTH_PROVIDERS = {
...
'keycloakdev': {
'type': 'authlib',
'title': 'Devel KEYCLOAK [test puprose]',
'authlib_args': {
'client_id': 'indico-test.eufus.psnc.pl',
'client_secret': '##########',
'server_metadata_url': 'https://keycloak-dev.apps.paas-dev.psnc.pl/auth/realms/indico-oneprovider.onedata.edu.pl/.well-known/openid-configuration',
'client_kwargs': {'scope': 'openid email profile'}
},
'callback_uri': '/multipass/authlib/keycloakdev',
'use_id_token': True,
}
}
IDENTITY_PROVIDERS = {
...
'keycloakdev': {
'type': 'authlib',
'title': 'KeycloakDEV IDP',
'mapping': {
'first_name': 'given_name',
'last_name': 'family_name',
'email': 'email'
},
'trusted_email': True,
}
}
PROVIDER_MAP = {
...
'keycloakdev': 'keycloakdev'
}
1.7. Email communication
# Email settings
SMTP_SERVER = ('smtp.man.poznan.pl', 587)
SMTP_USE_TLS = True
SMTP_LOGIN = '##########'
SMTP_PASSWORD = '##########'
SUPPORT_EMAIL = '############'
PUBLIC_SUPPORT_EMAIL = '##########'
NO_REPLY_EMAIL = 'no-reply@indico-test.eufus.psnc.pl'
1.8. SSL certificates
SSL certificates are located in `/etc/letsencrypt/live/indico-test.eufus.psnc.pl/`
Obtaining a new SSL certificate based on certbot
sudo certbot --nginx --rsa-key-size 4096 --no-redirect --staple-ocsp -d indico-test.eufus.psnc.pl
Obtained certificates are located in `/etc/letsencrypt/live/indico-test.eufus.psnc.pl/` directory.
Configuration of used SSL certificates is described in `/etc/nginx/conf.d/indico.conf`
1.9. Indico service maitanance
Restart service:
sudo systemctl restart nginx.service indico-celery.service indico-uwsgi.service
Using Indico shell (useful for debugging sessions)
(indico) [indico@oneprovider ~]$ . .venv/bin/activate (indico) [indico@oneprovider ~]$ indico shell Indico v3.0.3 is ready for your commands In [1]: