Meet.coop SSO plan

[ASoTNetworks]

When a user register on Open Collective it will also register them to Meet.coop's Keycloak. This will serve as our active member database.

When a user cancel their account from Open Collective an email will be sent to contact@ email notifying that the user have cancelled. This will not disable their Keycloak account in case it was not intentional.

List of tasks to set up SSO on CA and DE BBB servers:

• [x] Deploy test environment (May)

  • [x] Setup test SSO
  • [x] Add Open Collective integration
  • [x] Set up test BBB
  • [x] Test onboarding and offboarding
  • [x] Test migration plan

• [x] Notify stake holders and users if upcoming changes

• [x] Devise a migration plan for accounts on CA and DE

  • [x] Communicate to members about the process

• [x] “freeze” new room creation in CA and DE (July 18th)

• [x] Deploy to production (Week of July 18th)

  • [x] Migrate users to production

[ASoTNetworks]

I got Greenlight to work with Keycloak to authenticate users. There is currently an issue where Greenlight does not currently support user roles from OpenID. https://github.com/bigbluebutton/greenlight/pull/2955

I will try and apply the patch and see if it will work.

[benhylau]

Can you describe how SSO is used in both the Greenlight instances and forum (is it used in forum?) and how OpenID roles are mapped to platform specific roles? For example, are admins and users in Greenlight two "roles"?

As far as I understand, BBB servers themselves have no SSO linkage. Just Greenlight, right?

Is there anything else that SSO is linked to? Not Open Collective right?

[ASoTNetworks]

I haven't look into the inner working of the forums yet. For OpenID on Greenlight Admin and Users are 2 different roles. We can add more when need to.

BBB don't have any auth and database and Greenlight will just make the room when started.

I haven't linked it to Open Collective yet.

[ASoTNetworks]

I got keycloak running in production mode with PSQL for database. Next is to figure out Open Collective linking.

[ASoTNetworks]

I have made a script that will fetch the member list and add new accounts to Keycloak and it will send the users a email on how to setup their password. This script can be run using cron.

Current issue is there are members that have null email which will not work as Greenlight requires a email and we are using that as the login.

[benhylau]

@ASoTNetworks can you give an update on this? We expect this to be deployed now right?

[ASoTNetworks]

We have encountered some issues with SSL with the Greenlight instance but solved it now.

This can be deployed to production once we figure out migration plan for existing users. It turns out we cannot have both Greenlight local users and SSO with the DEFAULT_REGISTRATION setting set to closed as SSO users are considered a new user in greenlight and that will prevent users from joining with SSO.

This requires ALLOW_GREENLIGHT_ACCOUNTS set to false or it will allow anyone to register to Greenlight. This will also render all local accounts to be unusable.

For now we can use a script that runs each hour to create the Keycloak users and we will try to use webhook if it is possible and work with Open Collective to see if emails can be shared with the org.

[ASoTNetworks]

I have migrated the BBB servers to use SSO. Users can log in to https://de.meet.coop and https://ca.meet.coop using the SSO login.

Those that have admin access for user management can log into Keycloak admin panel here: https://sso.meet.coop/admin/meet.coop/console with their SSO accounts.

[LexaMichaelides]

@ASoTNetworks should this issue be closed?

[ASoTNetworks]

Yep this is done