This page describes how to enable users to use more than one upstream identity provider to log into the same Arvados account. This can be used to migrate account providers, for example, from LDAP to Google. In order to do this, users must be able to log into both the “old” and “new” providers.
In application.yml for the SSO server, you can enable both google_oauth2 and ldap providers:
production:
google_oauth2_client_id: abcd
google_oauth2_client_secret: abcd
use_ldap:
title: Example LDAP
host: ldap.example.com
port: 636
method: ssl
base: "ou=Users, dc=example, dc=com"
uid: uid
username: uid
Restart the SSO server after changing the configuration.
If the new account provider supplies an email address (primary or alternate) that matches an existing user account, the user will be logged into that account. No further migration is necessary, and the old provider can be removed from the SSO configuration.
If the new provider cannot provide matching email addresses, users will have to migrate manually by linking accounts
After linking accounts, users can use the new provider to access their existing Arvados account.
Once all users have migrated, the old account provider can be removed from the SSO configuration.
The content of this documentation is licensed under the
Creative
Commons Attribution-Share Alike 3.0 United States licence.
Code samples in this documentation are licensed under the
Apache License, Version 2.0.