Demo Gadget Gallery

January 20th, 2010

I’ve added a gallery for demo OpenSocial gadgets at http://itlab.stanford.edu/gadgets/.

Web Sequence Diagrams made easy

October 1st, 2009

Trying out WebSequenceDiagrams.com:

Browser->SP: GET /resource
note right of SP: SP determines that authentication is needed
SP->Browser: 302 Found, redirect to IdP
Browser-> IdP: GET /SSO
note right of IdP: IdP determines if user is already authenticated
IdP->Browser: 302 Found, redirect back to SP with token
Browser->SP: GET /resource
SP->IdP: POST /AA
IdP->SP: 200 OK, SAML Assertion
SP->Browser: 200 OK, content

iChat and Openfire and Certificates and Kerberos! Oy Vay!

August 28th, 2009

We’ve found that Adium and Pidgin work very well with our pilot setup – Openfire server, DNS SRV records so that people can use @stanford.edu Jabber IDs, using TLS on port 5222 and SASL/GSSAPI (Kerberos) authentication. iChat worked fine in the test setup, but doesn’t work on the pilot setup – the main difference being the DNS SRV records.

I spent some time this afternoon trying different settings with iChat, certificates, Kerberos and Openfire, using itlab.stanford.edu and im.itlab.stanford.edu.
Read the rest of this entry »

Jabber – Pidgin Client Configuration Instructions for Microsoft Windows

June 18th, 2009

The following are the instructions for setting up a MS Windows computer to connect to the IT Services test/pilot Jabber Instant Messaging server for the purposes of Group Chat for the IEC (Zimbra) calendar migration effort. Pidgin is an IM client that supports the

  • Jabber XMPP protocol
  • SSL encryption on the network
  • Kerberos authentication

Read the rest of this entry »

Jabber – Adium Client Configuration Instructions for Mac OS X

June 18th, 2009

The following are the instructions for setting up a Mac to connect to the IT Services test/pilot Jabber Instant Messaging server for the purposes of Group Chat for the IEC (Zimbra) calendar migration effort. Adium is an IM client that supports the

  • Jabber XMPP protocol
  • SSL encryption on the network
  • Kerberos authentication

Read the rest of this entry »

Jabber – iChat Client Configuration Instructions for Mac OS X

June 16th, 2009

The following at the instructions for setting up a Mac to connect to the IT Services test/pilot Jabber Instant Messaging server for the purposes of Group Chat for the IEC (Zimbra) calendar migration effort. OS X includes iChat which is an IM client that supports the

  • Jabber XMPP protocol
  • SSL encryption on the network
  • Kerberos authentication

Read the rest of this entry »

Cleaning up the Shibboleth Redirect Page

June 10th, 2009

When the Shibboleth IdP redirects a browser back to the SP, it does it via a form that is auto-submitted (if javascript is enabled). The default form is very basic, so I decided to spruce up the page for idp-dev.

The original IdP.jsp page source is in this attachment, and the updated version is in this one.

You should also update the other JSP files (IdPError.jsp, IdPErrorBlameSP.jsp and IdPStale.jsp).

To see the new page, just log in to this blog.

Clearspace / Jive SBS Authentication Plugin

May 7th, 2009

When I set up the test Clearspace server, I wrote a plugin for authenticating users via the web server. The plugin was developed for Clearspace 2.5 with Shibboleth, but should work for SBS 3.0 and WebAuth (+WebAuthLDAP to get mail and displayName attributes), since the authentication interface is unchanged, and the HTTP header variables that the plugin uses can be configured for different authentication systems.

To use it, first configure some system properties via the admin console:

Property Shibboleth 1.x Value WebAuth Value
remoteuser.header.email Shib-InetOrgPerson-mail WEBAUTH_LDAP_MAIL
remoteuser.header.fullname Shib-InetOrgPerson-displayName WEBAUTH_LDAP_DISPLAYNAME

Upload the clearspace-remoteuser plugin through the ‘Add Plugin’ admin page.

Ensure you have users registered that match the REMOTE_USER settings – for Shibboleth, usernames are username@domain (e.g. sunetid@stanford.edu), for WebAuth they should be just username.

Finally, restart Clearspace / SBS.

LDAP, Kerberos 5, SASL and Passwords

March 11th, 2009

I’ve been playing around with a KDC and LDAP server in the test lab, and decided to try and get authentication working both with GSSAPI (Kerberos 5) and username/password authenticated against the KDC. It’s pretty straightforward, and a little bit of googling went a long way.
Read the rest of this entry »

Openfire and Kerberos implementation notes

March 6th, 2009

Inquiring minds wanted to know more about the setup and configuration of the Openfire Jabber / XMPP server to work with GSSAPI / Kerberos, cross-realm authentication with Active Directory and user registration. Read on for the details
Read the rest of this entry »