Deployment and Administration guide
This is the INDIGO IAM deployment and administration guide.
Requirements
Docker
The IAM service is currently distributed as a docker image from Dockerhub, so in order to run the service, you will need:
Docker v. 1.11.1 or greater
If you want to use docker-compose to deploy the service, you will also need
docker-compose v.1.7.0 or greater
MariaDB/MySQL
The IAM service stores information in a mariadb/mysql database.
NginX
The IAM service is designed to run as a backend Java application behind an NGINX reverse proxy (it could run equally well behing apache, but we tested it behind NGINX).
Configuration
Prerequisites
In order to run a production instance of the IAM, you will need:
An X.509 certificate, used for SSL termination at the NGINX reverse proxy
A JSON keystore holding the keys used to sign JSON Web Tokens. You can use
this handy tool to generate JSON web keys for your service
If you enable SAML login:
SAML metadata for your SAML federation
SAML metadata for the IAM service
MySQL configuration
Just create a database and a user that has read/write/schema change access to the database.
NGINX configuration
Configure NGINX to act as a reverse proxy for the IAM backend application.
The example configuration below is taken from the docker file for the IAM development environment:
JSON web keys generation
Checkout the json-web-key-generator repository:
Build the code with:
Generate a key with the following command:
Save the output of the above command (minus the Full key:
initial text) in a file.
IAM docker image
The IAM service is provided on the following Dockerhub repositories:
indigoiam/iam-login-service
indigodatacloud/iam-login-service
We keep the images in sync, so the following instructions apply to images fetched from any of the two repositories.
IAM configuration
The IAM service is configured via spring profiles and environment variables.
IAM profiles
IAM profiles are used to enable/disable group of IAM functionalities. Currently the following profiles are defined:
Profiles are enabled by setting the spring.profiles.active
Java system property when starting the IAM service. This can be done, using the official IAM docker image, by setting the IAM_JAVA_OPTS environment variable as follows:
Service configuration
All configurable aspects of the IAM are configured via environment variables.
Database access options
Google authentication options
SAML authentication options
Notification service options
IAM notification service use an external SMTP server for sending email notifications. The table below contains the options for configure the SMTP server.
Specific options:
Example configuration
The IAM service is run starting the docker container with the following command:
The env file content is the following:
Last updated