IRC log for #koha, 2017-02-18

All times shown according to UTC.

Time S Nick Message
00:08 talljoy joined #koha
00:47 kellym joined #koha
01:19 Francesca joined #koha
02:11 Francesca joined #koha
03:08 z0k_ joined #koha
04:37 Francesca joined #koha
05:12 Francesca joined #koha
05:36 Francesca joined #koha
05:44 Francesca joined #koha
05:55 Francesca joined #koha
06:04 Francesca joined #koha
06:15 Francesca joined #koha
07:12 Scott-CSPL joined #koha
07:12 deb-CSPL joined #koha
08:07 Francesca joined #koha
08:27 liw @wunder helsinki
08:27 huginn liw: The current temperature in Helsinki, Finland is 1.0°C (10:20 AM EET on February 18, 2017). Conditions: Clear. Humidity: 81%. Dew Point: -2.0°C. Windchill: -4.0°C. Pressure: 29.77 in 1008 hPa (Falling).
09:19 deb-CSPL joined #koha
09:34 z0k_ joined #koha
10:39 cait joined #koha
11:03 z0k_ joined #koha
11:45 tcohen joined #koha
12:12 cait1 joined #koha
12:14 tcohen morning
12:27 * cait1 waves
13:16 stozza joined #koha
13:51 stozza joined #koha
14:15 stozza joined #koha
14:48 tcohen hi cait1
14:49 tcohen have a nice w-e #koha
15:02 kivilahtio ashimema: Hi! Are you working on OAuth2 support in Koha?
15:02 kivilahtio ashimema: looking at batman's and Lee's work regarding the Mojolicious Plugins, having that done using Mojolicious looks like a low-hanging-fruit
15:03 kivilahtio ashimema: we need it for the national OPAC. Or a solution similar to it
15:03 kivilahtio ashimema: but I think OAuth2 is the bestest solution
15:04 kivilahtio also Might implement SAML2-soon as we are getting some pressure from high-ups and nationally (legislation actually mandates us to implement SAML2-support)
15:05 kivilahtio why not do them both while at the auth-madness :)
15:31 jcamins kivilahtio: because SAML will kill you? Friends don't let friends SAML?
15:32 kivilahtio jcamins: haha
15:32 kivilahtio jcamins: thanks for the warning
15:32 kivilahtio jcamins: unfortunately our use SAML to provide SSO for all public sector services
15:32 kivilahtio and we are legally mandated to join the national "platform"
15:33 kivilahtio jcamins: why do you think SAML is bad?
15:33 jcamins Actually, I've been lucky... I mostly only have to deal with OAuth2/OpenID Connect.
15:33 jcamins On the unlucky side, I've had to use a vendor which doesn't believe in backward-compatibility.
15:33 jcamins It does not map well to modern web technology.
15:34 kivilahtio jcamins: hmm. What do you mean? I didn't find such issues?
15:34 kivilahtio tho I have very little experience with all these security-things
15:34 jcamins And it's one of those things that is a little bit different in every implementation.
15:35 kivilahtio Luckily there is not so much to implement differently?
15:35 jcamins There seems to be a surprising amount.
15:36 kivilahtio I mean, you ask the idp if this user is authenticated, and ask for extra attributes if the user is authenticated.
15:36 kivilahtio if not authenticated, redirect to idp for authentication
15:36 kivilahtio There is no standard for the user attributes, I guess this is where things can get complicated
15:37 jcamins Yeah.
15:37 jcamins That's where it was particularly painful in terms of lack of standardization.
15:37 jcamins The fact that all SAML communication is done via POST is what I felt didn't work well with an OAuth2-centric model.
15:38 kivilahtio I understand
15:38 kivilahtio I guess you just need to relax your REST-pants
15:38 jcamins "Oh look, here's this blank page with some JS that is going to magically POST an XML file to a random third-party server."
15:38 kivilahtio I hear ya
15:38 kivilahtio and using XML
15:39 kivilahtio XML is so dead
15:39 jcamins Eh, I'm less concerned about purity and more concerned about the fact that it raises red flags in every hospital IT department anywhere.
15:39 kivilahtio jcamins: are you sure you must use js to submit forms?
15:40 kivilahtio jcamins: I guess, since the SAML2-requests must originate from the user, not the server being accessed
15:40 kivilahtio jcamins: but this is no different from Koha's login page?
15:41 kivilahtio jcamins: you load the front-page. While loading it, ask the idp if the user is authenticated. If not, instead of the login-for, display a login-via-idp-link
15:41 kivilahtio *instead of the login-form*
15:42 kivilahtio there is an extra step for the user tho, but after the extra step, it is SSO everywhere
15:42 kivilahtio but yeah. You do have a point.
15:43 kivilahtio isn't this the same with OAuth?
15:43 kivilahtio user is redirected to the auth-server where he gives the permissions for the 3rd party to act on his behalf?
15:44 kivilahtio in SAML, he simply acts by himself
15:47 kivilahtio jcamins: I wonder if you could redirect to the IDP via a http status 307...
16:05 jcamins kivilahtio: something just occurred to me... you're not implementing the IDP. I imagine if I weren't working on the IDP side, I'd be a lot happier.
16:15 kivilahtio jcamins: I found simplesamlphp
16:15 kivilahtio jcamins: this is the reason why I am considering SAML2
16:16 kivilahtio we can have our own internal SSO using the nationally mandated standard
16:16 kivilahtio then switch to the national IDPs when the time is ripe
16:17 kivilahtio jcamins: but no. I am planning to use simplesamlphp as the idp. I managed to get it owkr and the php-code is something I can debug.
16:17 kivilahtio owkr = work
16:18 kivilahtio jcamins: have you worked on the idp-side?
16:25 jcamins kivilahtio: we use a third-party vendor as IDP, but I've been substantially responsible for making everything work together from the application point of view.
16:25 jcamins So dealing with implementation quirks, moving between applications, etc.
17:17 jbeno joined #koha
18:08 Dyrcona joined #koha
20:33 jbeno joined #koha
22:03 stozza joined #koha
22:17 stozza joined #koha
22:27 stozza joined #koha
23:17 stozza joined #koha
23:19 alexbuckley joined #koha

| Channels | #koha index | Today | | Search | Google Search | Plain-Text | plain, newest first | summary