FYI: recent developments in confluence plugin

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

FYI: recent developments in confluence plugin

Cantor, Scott E.
Most people using the SP with the Confluence wiki are using some variant of
the plugin Chad originally wrote and which was posted, in revised form,
here:

http://confluence.atlassian.com/display/CONFEXT/Shibboleth+Authenticator+for
+Confluence

This isn't technically a plugin that is specific to Shibboleth, but does
rely on request headers as the communication path between the container
solution and the plugin.

A significant amount of work was done in the last year, accelerating in the
last few weeks, and a snapshot is available that people might want to play
with. The recent work post-dates the 1.4 release on the web site and has to
be built from subversion using maven, which is documented on the page.

Among the features that have been developed:

- handling case-folding bugs in Confluence users and groups
- reloading the properties file without restarting Confluence
- ability to map any header value to a group name using one or more regular
expressions
- option to auto-create groups
- option to bidirectionally synchronize groups with headers (that is, both
auto-add and remove a user from groups based on their headers at login time)

For the LDAP-allergic among us, this is a pretty good solution for syncing
your SAML attribute sources to local Confluence groups without much work,
and of course it's not limited to a single IdP as a source of those groups.

I just wanted to make people aware that it's been evolving a lot. If you
have comments about it or find bugs, you can use the jira you'll find on
that page.

Thanks to Bruc Liong and Vladimir Mencl for a ton of work on this.

-- Scott


Reply | Threaded
Open this post in threaded view
|

File Resolver initialization

peter williams-3
Im doing debugging with a SP partner who is using bits of shib lib code, pulled off a more classical Shib deployment that works. Ive no reason to believe they are doing it "correctly" in their own code path.

I don't suppose that the file system credential resolver imposes any PKI semantics when initializing itself?

We are pretty sure that the resolver plugin has properly constructed, awaiting initialization. Its indicating an exception on attempting to initialize itself with a file system resolver string, on preparing to process SAML2 inbound posts (with an inline IDP cert).

If its XML initialization string points to a self-signed PEM cert (pulled from the SAML response with suitable formatting and headers), and also points to a private key that is NOT associated with that cert, would that cause an initialization issue (because cert and signing key don't match, semantically)?

(Don't shout at me... it's not my code or my build. If it was my code, Id just single step the C++ source to find out. Unfortunately, the partner is working with a .NET C# src wrapper around the pre-compiled C++ shib libraries for Win32, and doesn't have a debug image of the library.
Reply | Threaded
Open this post in threaded view
|

RE: File Resolver initialization

Cantor, Scott E.
> If its XML initialization string points to a self-signed PEM cert (pulled
> from the SAML response with suitable formatting and headers), and also
> points to a private key that is NOT associated with that cert, would that
> cause an initialization issue (because cert and signing key don't match,
> semantically)?

Not in any released version. That was added to the branch recently in
response to a Jira request. It wasn't a change to the expected behavior,
just more error handling to detect problems. Of course, the exception it
raises in such a case tells you what the problem was.

> (Don't shout at me... it's not my code or my build. If it was my code, Id
> just single step the C++ source to find out. Unfortunately, the partner is
> working with a .NET C# src wrapper around the pre-compiled C++ shib
> libraries for Win32, and doesn't have a debug image of the library.

Well, handling exceptions is definitely a requirement here. Is there some
reason they can't detect the error and report what it was? I know little to
nothing about C#.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Email Etiquette: Replying to Mailing Lists

Chad La Joie
In reply to this post by peter williams-3
Here's a nice blog entry by Will talking about how replying to email
works.  I thought I'd send it since a number of people on this list (and
others) seem to have mistaken impression on how email works.  Being
unable to use your email client properly makes reading and following
some of these discussion difficult and messes up the email archive.

http://willnorris.com/2008/12/email-etiquette-replying-to-mailing-lists

Thank Will, for the info!

And yes, I specifically did use "reply" in my non-reply.

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

Re: Email Etiquette: Replying to Mailing Lists

André Cruz-4
+1 for courtesy :)

André

On Jan 13, 2009, at 6:46 , Chad La Joie wrote:

> Here's a nice blog entry by Will talking about how replying to email
> works.  I thought I'd send it since a number of people on this list  
> (and
> others) seem to have mistaken impression on how email works.  Being
> unable to use your email client properly makes reading and following
> some of these discussion difficult and messes up the email archive.
>
> http://willnorris.com/2008/12/email-etiquette-replying-to-mailing- 
> lists
>
> Thank Will, for the info!
>
> And yes, I specifically did use "reply" in my non-reply.
>
> --
> SWITCH
> Serving Swiss Universities
> --------------------------
> Chad La Joie, Software Engineer, Net Services
> Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
> phone +41 44 268 15 75, fax +41 44 268 15 68
> [hidden email], http://www.switch.ch
>

Reply | Threaded
Open this post in threaded view
|

Re: Email Etiquette: Replying to Mailing Lists

Tom Scavo
In reply to this post by Chad La Joie
As long as we're discussing etiquette :-) I'll mention that so-called
"top posting" is also way not cool.  Top posting is what I just did,
that is, inserting a blob of text at the very top of a reply.  To see
how replies *should* be formatted (out of courtesy for your readers),
look at any one of Scott's excellent replies:  always trimmed down
with inline comments for maximum readability.

Tom

On Tue, Jan 13, 2009 at 12:46 AM, Chad La Joie <[hidden email]> wrote:

> Here's a nice blog entry by Will talking about how replying to email
> works.  I thought I'd send it since a number of people on this list (and
> others) seem to have mistaken impression on how email works.  Being
> unable to use your email client properly makes reading and following
> some of these discussion difficult and messes up the email archive.
>
> http://willnorris.com/2008/12/email-etiquette-replying-to-mailing-lists
>
> Thank Will, for the info!
>
> And yes, I specifically did use "reply" in my non-reply.
>
> --
> SWITCH
> Serving Swiss Universities
> --------------------------
> Chad La Joie, Software Engineer, Net Services
> Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
> phone +41 44 268 15 75, fax +41 44 268 15 68
> [hidden email], http://www.switch.ch
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Email Etiquette: Replying to Mailing Lists

Peter Schober
* Tom Scavo <[hidden email]> [2009-01-13 16:53]:
> To see how replies *should* be formatted (out of courtesy for your
> readers), look at any one of Scott's excellent replies: always
> trimmed down with inline comments for maximum readability.

But wait, there's more! :)
Those anal about their email will surely notice that Scott (or his
Mail User Agent) does not provide an attribute line, which means
that when replying to someone's email he's not providing the author's
name, email address or date/time. If you ever wondered "Who or which
mail exactly is he replying to here" you'll certainly see this is
helpful contextual information.

You may now return discussing other bikesheds' colours.
(Not that I oppose education about netiquette as such, far from it.)

Cheers,
-peter

--
[hidden email] - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140
Reply | Threaded
Open this post in threaded view
|

Re: Email Etiquette: Replying to Mailing Lists

Peter Schober
* Peter Schober <[hidden email]> [2009-01-13 18:24]:
> Those anal about their email will surely notice that Scott (or his
> Mail User Agent) does not provide an attribute line

Seems I'm SAMLy challenged. It's an 'attribution line', of course.
-peter
Reply | Threaded
Open this post in threaded view
|

RE: Email Etiquette: Replying to Mailing Lists

Cantor, Scott E.
In reply to this post by Peter Schober
> Those anal about their email will surely notice that Scott (or his
> Mail User Agent) does not provide an attribute line, which means
> that when replying to someone's email he's not providing the author's
> name, email address or date/time.

No, Outlook doesn't attribute, unfortunately.

As I commented to Chad recently, personally I hate mailing lists as a
substitute for newsgroups, and the NNTP readers I use(d) did support it. ;-)

> You may now return discussing other bikesheds' colours.
> (Not that I oppose education about netiquette as such, far from it.)

We all have our bitches. I don't use threaded email, so the reply-to bug
doesn't affect me, whereas top posting drives me nuts.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: Email Etiquette: Replying to Mailing Lists

Christopher D. Clausen
Scott Cantor <[hidden email]> wrote:
> No, Outlook doesn't attribute, unfortunately.

Try:
http://home.in.tum.de/~jain/software/outlook-quotefix/

<<CDC

Reply | Threaded
Open this post in threaded view
|

Re: Email Etiquette: Replying to Mailing Lists

Christopher M. Coballes
Hi IT Folks

Good Day.

It got to be simple,Try to ask some help, be pleasant and be thankful
and share your blessings how the team gives you a benefits of learning
 all these things.That's I think a simple protocol how to reply in this forum.

Patience of generosity is beauty,arts and  if you can't
grasp it( Ask your mommy-she will teach you values)

For there is no standard of pleasing others-just please them
Thanks to all.

Christopher M. Coballes
Manila,Philippines 



Reply | Threaded
Open this post in threaded view
|

RE: Email Etiquette: Replying to Mailing Lists

peter williams-3

They are just having a go, at my expense.  If you come from the bottom of the class, you expect it after a while; it comes with being dumb.

 

If you are one of the intellectual elite who use threaded conversational email UIs for scholars, go for it! Those of using outlook in its  default configuration, we will probably be event driven.

 

From: Christopher M. Coballes [mailto:[hidden email]]
Sent: Tuesday, January 13, 2009 7:49 PM
To: [hidden email]
Subject: Re: [Shib-Users] Email Etiquette: Replying to Mailing Lists

 

Hi IT Folks

Good Day.

It got to be simple,Try to ask some help, be pleasant and be thankful
and share your blessings how the team gives you a benefits of learning
 all these things.That's I think a simple protocol how to reply in this forum.

Patience of generosity is beauty,arts and  if you can't
grasp it( Ask your mommy-she will teach you values)

For there is no standard of pleasing others-just please them
Thanks to all.

Christopher M. Coballes
Manila,Philippines 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Email Etiquette: Replying to Mailing Lists

Chad La Joie
It isn't about *you* (though the fact that you do this across multiple
email lists and now at least two of these lists cite it as a problem
should tell you something).  And it's not about the "intellectual elite"
who use something other than Outlook.  To me it's not even about
etiquette.  Email is a standard and replies work in a particular manner.
 It's not some great mystery, it's been around for about 20 years.  When
you choose to ignore how the system works it creates problems.

Yes, it's annoying for those of us who use email clients with threaded
views.  However it's more of an issue for the online email archives
which use the information, that you're corrupting, in order to build
indexes and views of the data. I haven't looked at our new email archive
sites recently, now that they have some data in them, but when it was
just Sympa this was a huge PITA as Sympa seems to index one random word
in the email and the provide only the thread view.

Peter Williams wrote:
> They are just having a go, at my expense.  If you come from the bottom of the class, you expect it after a while; it comes with being dumb.
>
> If you are one of the intellectual elite who use threaded conversational email UIs for scholars, go for it! Those of using outlook in its  default configuration, we will probably be event driven.


--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

RE: Email Etiquette: Replying to Mailing Lists

peter williams-3
Where I remember, I'll not reply to a old email when composing. But don’t expect too much compliance. My introductory experience to email was "cat ~/.mail | more".

----------

But to websso.

Can we just legitimately analyze what we just saw as "False and deceptive" use of email headers? Was it a classical imputation of abuse of cultural standard ...where the author later denied the pertinence of the issue presented in the headline. Is that an Etiquette double standard?

In usenet culture, folks would now have an interesting debate about trolling. The Trolling mudslinging is of course just a vehicle for periodically revisiting the "governance" topic - as an online community evolves.

The web/internet is evidently great for what its targeted at, folks whose IT systems comply at ~80% with the technical standards, using software typically (re)written by folks from the bottom half of the class.  So, I just did a formal test of my skills in Word and Outlook (after 10+ years usage); I achieved the ~30% percentile, first try. If I buy the exam answers for the "ICDL" tests for 100$ from pass4sure (like most US candidates do, apparently), I’ll assuredly get 100% score after only 30m of study. I'll be in the 99% percentile  of the class, then!

It's not objectively clear that formal skill certification in an Outlook-centric governance culture is a proof of anything other than one candidate has money, whereas the other doesn't. Even if my hires are all tested and Office-monitored to uphold best practices, with little doubt my customers (who pay $6 a month for their professional IT services) will be like me. Being my customer, I'll have no recourse of compliant when they contaminate the high-assurance process environment I've setup. I'll be forced to counter that with guards that limit the contamination, probably through a risk management process. What else can I do? I cannot complain. It's not what vendors do. The customer is always right!

Your (non-)whine about email usage is just one of several, aimed at me recently (ol egotistical "me") - all due largely to the mental model that Outlook induces one to adopt. Label me stupid; I don’t mind. It's absolutely true! 1 of the whiners declared the stupidity was evident from merely using Outlook!
'
It was interesting to note the cultural differences in the delivery means of the various forms of whining (and non-whining). Some used public email communications, but direct at least. Some used email private communications, but direct at least. Some used blogs, and probably giggled to each other in their linkback cliques.

The latter reminds me of Facebook culture, typical in 18-20 year old undergrads learning to network in a G3-size economy. Seeing as this is an increasingly dominant pattern of interaction, I think we have to learn to exploit this in websso design - adapting to exploit this "natural" groupware dynamic. People at work are what they are. They form small clubs of mutual interest, all centered around "me".

> -----Original Message-----
> From: Chad La Joie [mailto:[hidden email]]
> Sent: Wednesday, January 14, 2009 4:26 AM
> To: [hidden email]
> Subject: Re: [Shib-Users] Email Etiquette: Replying to Mailing Lists
>
> It isn't about *you* (though the fact that you do ths across multiple
> email lists and now at least two of these lists cite it as a problem
> should tell you something).  And it's not about the "intellectual
> elite"
> who use something other than Outlook.  To me it's not even about
> etiquette.  Email is a standard and replies work in a particular
> manner.
>  It's not some great mystery, it's been around for about 20 years.
> When
> you choose to ignore how the system works it creates problems.
>
> Yes, it's annoying for those of us who use email clients with threaded
> views.  However it's more of an issue for the online email archives
> which use the information, that you're corrupting, in order to build
> indexes and views of the data. I haven't looked at our new email
> archive
> sites recently, now that they have some data in them, but when it was
> just Sympa this was a huge PITA as Sympa seems to index one random word
> in the email and the provide only the thread view.
>
> Peter Williams wrote:
> > They are just having a go, at my expense.  If you come from the
> bottom of the class, you expect it after a while; it comes with being
> dumb.
> >
> > If you are one of the intellectual elite who use threaded
> conversational email UIs for scholars, go for it! Those of using
> outlook in its  default configuration, we will probably be event
> driven.
>
>
> --
> SWITCH
> Serving Swiss Universities
> --------------------------
> Chad La Joie, Software Engineer, Net Services
> Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
> phone +41 44 268 15 75, fax +41 44 268 15 68
> [hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

Re: Email Etiquette: Replying to Mailing Lists

Christopher M. Coballes
In reply to this post by peter williams-3
Hi,

Well, I am just relating  if this "threaded conversational email" for  elite and dumb consciousness ->is a necessity to this Shibboleth Forum- "Non sequitor".
But if this event driven ..then ok others might give help.

Thanks.

Christopher M. Coballes
PacMan's Country