Deploy SSO system to production

[josereyero]

This is to be done ASAP, as soon as we are done with these issues and some testing (Fri, Mon?).

• https://github.com/thegooddata/social/issues/14
• https://github.com/thegooddata/social/issues/13

This release needs to be synced with the corresponding Webapp release.

For everybody:

• Please check your user account data (name, mail) in Webapp matches that of Collaborate (Automatic synchronization of user accounts will fail otherwise).
• We need to clean up OA admin accounts (tmpAdmin, tgdAdmin...?) and check there are matching ones in the Webapp.
• Please test SSO system in PRE

Note once we are done with this deployment regular login in OA will be gone and we will be able to log in only through the Webapp/SSO

[marcosmenendez]

I've tested it in preproduction and haven't found any issue.

With the version available in production I have though. I changed in OA my display name from "Marcos" to "marcos" and got this error message:

Problem deleting 2 drive permissions for user Marcos. Status message 3 drive permissions deleted for user Marcos 1 drive permission deleted for user Marcos The changes have been saved.

I wonder if the preproduction version will also have these kind of google drive problems when changing the username and/or the display name

[josereyero]

I've been checking the server logs and I think it is just due to Google Docs itself and file ownership. If files are owned by a user other than the OA google account (data, social, etc...), then we may not have enough privileges for all file operations.

I've tested with a different account, changing user name back and forth and cannot see any error. So my guess is it may happen only for users that are also file owners.

However, there shouldn't be any google drive updates when updating the user name alone. Those should happen only when updating user status (delete file permissions when blocking user, restore them when user unblocked). So there may be something buggy about the og_drive module...

Whatever we'd need some more data about when this happens for different user accounts.

Suggested workarounds:

• Upload all the new files from OA google drive tab. This will set right ownership and permissions for it.
• (Try) For files uploaded with different accounts, change sharing options. Example, for 'corporate@thegooddata.org', should be 'Is owner'. (Check out the File sharing options).

For the record, logged errors look like: 'Error removing permission for (gid,uid,fid,pid) (126,3,0B9en5ipBZkcTRFVTb1JyRFB0Mmc,08845009108336594524) : Error calling DELETE https://www.googleapis.com/drive/v2/files/0B9en5ipBZkcTRFVTb1JyRFB0Mmc/permissions/08845009108336594524: (403) Insufficient permissions for this file'

[josereyero]

Done with production deployment and some account clean up. Notes:

• Deployment tag tgd-7.x-0.4
• Deleted admin accounts other than user 1 (admin)
• Synchronized remaining accounts

Now SSO is fully enabled in OA. Login and registration can be done only through the Webapp.

Notes about admin account (admin):

• This is the only account that can be logged in in OA independently of the Webapp. This means you need to log out form the Webapp and OA separately.
• Login can be done either through the Webapp or through the backend (drush user-login)
• There's a permission for this: 'tgd sso local login', that right now only admin account has. The purpose of this is being able to restore the system from failure (reconfigure) in case the SSO system stops working.