I’ve added a gallery for demo OpenSocial gadgets at http://itlab.stanford.edu/gadgets/.

Trying out WebSequenceDiagrams.com:

Browser->SP: GET /resource
note right of SP: SP determines that authentication is needed
SP->Browser: 302 Found, redirect to IdP
Browser-> IdP: GET /SSO
note right of IdP: IdP determines if user is already authenticated
IdP->Browser: 302 Found, redirect back to SP with token
Browser->SP: GET /resource
SP->IdP: POST /AA
IdP->SP: 200 OK, SAML Assertion
SP->Browser: 200 OK, content

We’ve found that Adium and Pidgin work very well with our pilot setup – Openfire server, DNS SRV records so that people can use @stanford.edu Jabber IDs, using TLS on port 5222 and SASL/GSSAPI (Kerberos) authentication. iChat worked fine in the test setup, but doesn’t work on the pilot setup – the main difference being the DNS SRV records.

I spent some time this afternoon trying different settings with iChat, certificates, Kerberos and Openfire, using itlab.stanford.edu and im.itlab.stanford.edu.
Read the rest of this entry »

The following are the instructions for setting up a MS Windows computer to connect to the IT Services test/pilot Jabber Instant Messaging server for the purposes of Group Chat for the IEC (Zimbra) calendar migration effort. Pidgin is an IM client that supports the

• Jabber XMPP protocol
• SSL encryption on the network
• Kerberos authentication

Read the rest of this entry »

The following are the instructions for setting up a Mac to connect to the IT Services test/pilot Jabber Instant Messaging server for the purposes of Group Chat for the IEC (Zimbra) calendar migration effort. Adium is an IM client that supports the

• Jabber XMPP protocol
• SSL encryption on the network
• Kerberos authentication

Read the rest of this entry »

The following at the instructions for setting up a Mac to connect to the IT Services test/pilot Jabber Instant Messaging server for the purposes of Group Chat for the IEC (Zimbra) calendar migration effort. OS X includes iChat which is an IM client that supports the

• Jabber XMPP protocol
• SSL encryption on the network
• Kerberos authentication

Read the rest of this entry »

When the Shibboleth IdP redirects a browser back to the SP, it does it via a form that is auto-submitted (if javascript is enabled). The default form is very basic, so I decided to spruce up the page for idp-dev.

The original IdP.jsp page source is in this attachment, and the updated version is in this one.

You should also update the other JSP files (IdPError.jsp, IdPErrorBlameSP.jsp and IdPStale.jsp).

To see the new page, just log in to this blog.

When I set up the test Clearspace server, I wrote a plugin for authenticating users via the web server. The plugin was developed for Clearspace 2.5 with Shibboleth, but should work for SBS 3.0 and WebAuth (+WebAuthLDAP to get mail and displayName attributes), since the authentication interface is unchanged, and the HTTP header variables that the plugin uses can be configured for different authentication systems.

To use it, first configure some system properties via the admin console:

Upload the clearspace-remoteuser plugin through the ‘Add Plugin’ admin page.

Ensure you have users registered that match the REMOTE_USER settings – for Shibboleth, usernames are username@domain (e.g. sunetid@stanford.edu), for WebAuth they should be just username.

Finally, restart Clearspace / SBS.

I’ve been playing around with a KDC and LDAP server in the test lab, and decided to try and get authentication working both with GSSAPI (Kerberos 5) and username/password authenticated against the KDC. It’s pretty straightforward, and a little bit of googling went a long way.
Read the rest of this entry »

Inquiring minds wanted to know more about the setup and configuration of the Openfire Jabber / XMPP server to work with GSSAPI / Kerberos, cross-realm authentication with Active Directory and user registration. Read on for the details
Read the rest of this entry »