2016-09-12 17:29:44 +02:00
# How to configure Fab-manager to use a Single Sign-On authentication?
2020-02-26 10:19:43 +01:00
For this guide, we will use [GitHub ](https://developer.github.com/v3/oauth/ ) as an example authentication provider, because it uses OAuth 2.0 which is currently implemented in Fab-manager, it has a standard implementation of the protocol and it is free to use for everyone.
2016-09-12 17:29:44 +02:00
- First, you must have a GitHub account. This is free, so create one if you don't have any.
Visit https://github.com/join?source=login to create an account.
2020-02-26 10:19:43 +01:00
- Secondly, you will need to register your Fab-manager instance as an application in GitHub.
2016-09-12 17:29:44 +02:00
Visit https://github.com/settings/applications/new to register your instance.
2020-02-26 10:19:43 +01:00
- In `Application name` , we advise you to set the same name as your Fab-manager's instance title.
- In `Homepage URL` , put the public URL where your Fab-manager's instance is located (eg. https://example.com).
2016-10-07 17:11:58 +08:00
- In `Authorization callback URL` , you must specify an URL that will match this scheme: https://example.com/users/auth/oauth2-github/callback
2020-02-26 10:19:43 +01:00
- **example.com** is your own Fab-manager's address
- **oauth2-github** match the provider's "strategy name" in the Fab-manager.
2016-10-07 17:11:58 +08:00
It is composed of: **SSO's protocol** , _dash_ , **slug of the provider's name** .
2020-02-26 10:19:43 +01:00
If you have a doubt about what it will be, set any value, create the authentication provider in your Fab-manager (see below), then the strategy's name will be shown in the providers list.
2019-10-01 15:54:16 +02:00
Afterwards, edit your app on GitHub to set the correct name.
2016-10-07 17:11:58 +08:00
- You'll be redirected to a page displaying two important information: your **Client ID** and your **Client Secret** .
2016-09-12 17:29:44 +02:00
2020-02-26 10:19:43 +01:00
- Now go to your Fab-manager's instance, login as an administrator, go to `Users management` and `Authentication` .
2016-09-12 17:29:44 +02:00
Click `Add a new authentication provider` , and select _OAuth 2.0_ in the `Authentication type` drop-down list.
2016-09-12 17:55:07 +02:00
In `name` , you can set whatever you want, but you must be aware that:
2016-09-12 17:29:44 +02:00
1. You will need to type this name in a terminal to activate the provider, so prefer avoiding chars that must be escaped.
2016-09-12 17:55:07 +02:00
2. This name will be occasionally displayed to end users, so prefer sweet and speaking names.
2016-09-13 12:06:25 +02:00
3. The slug of this name is used in the callback URL provided to the SSO server (eg. /users/auth/oauth2-**github**/callback)
2016-09-12 17:29:44 +02:00
- Fulfill the form with the following parameters:
2016-09-13 11:25:07 +02:00
- **Common URL**: `https://github.com/login/oauth/` This is the common part in the URLs of the two following parameters.
- **Authorization endpoint**: `authorize` This URL can be found [here ](https://developer.github.com/v3/oauth/ ).
2016-10-07 17:11:58 +08:00
- **Token Acquisition Endpoint**: `access_token` This URL can be found [here ](https://developer.github.com/v3/oauth/ ).
2016-09-12 17:29:44 +02:00
- **Profile edition URL**: `https://github.com/settings/profile` This is the URL where you are directed when you click on `Edit profile` in your GitHub dashboard.
- **Client identifier**: Your Client ID, collected just before.
- **Client secret**: Your Client Secret, collected just before.
2020-02-26 10:19:43 +01:00
- Then you will need to define the matching of the fields between the Fab-manager and what the external SSO can provide.
2016-09-12 17:55:07 +02:00
Please note that the only mandatory field is `User.uid` .
To continue with our GitHub example, you will need to look at [this documentation page ](https://developer.github.com/v3/users/#get-the-authenticated-user ) to know witch field can be mapped and how, and [this one ](https://developer.github.com/v3/ ) to know the root URL of the API.
2016-09-12 17:29:44 +02:00
- **Model**: `User`
- **Field**: `uid`
- **API endpoint URL**: `https://api.github.com/user` Here you can set a complete URL **OR** only an endpoint referring to the previously set **Common URL** .
- **API type**: `JSON` Only JSON API are currently supported
- **API fields**: `id` According to the GitHub API documentation, this is the name of the JSON field which uniquely identify the user.
2016-10-07 17:11:58 +08:00
Once you have completed and validated the mapping's line, an information button will be available.
2016-09-15 17:45:59 +02:00
A click on it will show you the type of data expected from the API and, in some cases, you'll be able to configure a transformation.
2016-09-28 12:14:21 +02:00
For example, the `Profile.gender` field require a boolean attribute but your API may return strings like `man / woman` .
2016-09-15 17:45:59 +02:00
In this case, you'll be able to configure a transformation for `man` < - > `true` and `woman` < - > `false` .
2016-10-07 17:11:58 +08:00
2016-09-12 17:55:07 +02:00
Now, you are free to map more fields, like `Profile.github` to `html_url` , or `Profile.avatar` to `avatar_url` ...
2016-09-12 17:29:44 +02:00
- Once you are done, your newly created authentication provider, will be marked as **Pending** in the authentication providers list.
To set it as the current active provider, you must open a terminal on the hosting server (and/or container) and run the following commands:
2016-10-07 17:11:58 +08:00
2016-09-12 17:29:44 +02:00
```bash
# replace GitHub with the name of the provider you just created
2019-02-13 12:59:28 +01:00
rake fablab:auth:switch_provider[GitHub]
2016-09-12 17:29:44 +02:00
```
2016-10-07 17:11:58 +08:00
- As the command just prompted you, you have to re-compile the assets
2016-09-28 12:14:21 +02:00
- In development, `rake tmp:clear` will do the job.
- In production with Docker, `rm -rf public/assets` , followed by `docker-compose run --rm fabmanager bundle exec rake assets:precompile`
2016-09-12 17:29:44 +02:00
- Then restart the web-server or the container.
2016-09-12 17:55:07 +02:00
- Finally, to notify all existing users about the change (and send them their migration code/link), run:
2016-09-12 17:29:44 +02:00
```bash
2019-02-13 12:59:28 +01:00
rake fablab:auth:notify_changed
2016-09-12 17:29:44 +02:00
```