| Time |
S |
Nick |
Message |
| 00:08 |
|
|
talljoy joined #koha |
| 00:47 |
|
|
kellym joined #koha |
| 01:19 |
|
|
Francesca joined #koha |
| 02:11 |
|
|
Francesca joined #koha |
| 03:08 |
|
|
z0k_ joined #koha |
| 04:37 |
|
|
Francesca joined #koha |
| 05:12 |
|
|
Francesca joined #koha |
| 05:36 |
|
|
Francesca joined #koha |
| 05:44 |
|
|
Francesca joined #koha |
| 05:55 |
|
|
Francesca joined #koha |
| 06:04 |
|
|
Francesca joined #koha |
| 06:15 |
|
|
Francesca joined #koha |
| 07:12 |
|
|
Scott-CSPL joined #koha |
| 07:12 |
|
|
deb-CSPL joined #koha |
| 08:07 |
|
|
Francesca joined #koha |
| 08:27 |
|
liw |
@wunder helsinki |
| 08:27 |
|
huginn |
liw: The current temperature in Helsinki, Finland is 1.0°C (10:20 AM EET on February 18, 2017). Conditions: Clear. Humidity: 81%. Dew Point: -2.0°C. Windchill: -4.0°C. Pressure: 29.77 in 1008 hPa (Falling). |
| 09:19 |
|
|
deb-CSPL joined #koha |
| 09:34 |
|
|
z0k_ joined #koha |
| 10:39 |
|
|
cait joined #koha |
| 11:03 |
|
|
z0k_ joined #koha |
| 11:45 |
|
|
tcohen joined #koha |
| 12:12 |
|
|
cait1 joined #koha |
| 12:14 |
|
tcohen |
morning |
| 12:27 |
|
* cait1 |
waves |
| 13:16 |
|
|
stozza joined #koha |
| 13:51 |
|
|
stozza joined #koha |
| 14:15 |
|
|
stozza joined #koha |
| 14:48 |
|
tcohen |
hi cait1 |
| 14:49 |
|
tcohen |
have a nice w-e #koha |
| 15:02 |
|
kivilahtio |
ashimema: Hi! Are you working on OAuth2 support in Koha? |
| 15:02 |
|
kivilahtio |
ashimema: looking at batman's and Lee's work regarding the Mojolicious Plugins, having that done using Mojolicious looks like a low-hanging-fruit |
| 15:03 |
|
kivilahtio |
ashimema: we need it for the national OPAC. Or a solution similar to it |
| 15:03 |
|
kivilahtio |
ashimema: but I think OAuth2 is the bestest solution |
| 15:04 |
|
kivilahtio |
also Might implement SAML2-soon as we are getting some pressure from high-ups and nationally (legislation actually mandates us to implement SAML2-support) |
| 15:05 |
|
kivilahtio |
why not do them both while at the auth-madness :) |
| 15:31 |
|
jcamins |
kivilahtio: because SAML will kill you? Friends don't let friends SAML? |
| 15:32 |
|
kivilahtio |
jcamins: haha |
| 15:32 |
|
kivilahtio |
jcamins: thanks for the warning |
| 15:32 |
|
kivilahtio |
jcamins: unfortunately our suomi.fi use SAML to provide SSO for all public sector services |
| 15:32 |
|
kivilahtio |
and we are legally mandated to join the national "platform" |
| 15:33 |
|
kivilahtio |
jcamins: why do you think SAML is bad? |
| 15:33 |
|
jcamins |
Actually, I've been lucky... I mostly only have to deal with OAuth2/OpenID Connect. |
| 15:33 |
|
jcamins |
On the unlucky side, I've had to use a vendor which doesn't believe in backward-compatibility. |
| 15:33 |
|
jcamins |
It does not map well to modern web technology. |
| 15:34 |
|
kivilahtio |
jcamins: hmm. What do you mean? I didn't find such issues? |
| 15:34 |
|
kivilahtio |
tho I have very little experience with all these security-things |
| 15:34 |
|
jcamins |
And it's one of those things that is a little bit different in every implementation. |
| 15:35 |
|
kivilahtio |
Luckily there is not so much to implement differently? |
| 15:35 |
|
jcamins |
There seems to be a surprising amount. |
| 15:36 |
|
kivilahtio |
I mean, you ask the idp if this user is authenticated, and ask for extra attributes if the user is authenticated. |
| 15:36 |
|
kivilahtio |
if not authenticated, redirect to idp for authentication |
| 15:36 |
|
kivilahtio |
There is no standard for the user attributes, I guess this is where things can get complicated |
| 15:37 |
|
jcamins |
Yeah. |
| 15:37 |
|
jcamins |
That's where it was particularly painful in terms of lack of standardization. |
| 15:37 |
|
jcamins |
The fact that all SAML communication is done via POST is what I felt didn't work well with an OAuth2-centric model. |
| 15:38 |
|
kivilahtio |
I understand |
| 15:38 |
|
kivilahtio |
I guess you just need to relax your REST-pants |
| 15:38 |
|
jcamins |
"Oh look, here's this blank page with some JS that is going to magically POST an XML file to a random third-party server." |
| 15:38 |
|
kivilahtio |
I hear ya |
| 15:38 |
|
kivilahtio |
and using XML |
| 15:39 |
|
kivilahtio |
XML is so dead |
| 15:39 |
|
jcamins |
Eh, I'm less concerned about purity and more concerned about the fact that it raises red flags in every hospital IT department anywhere. |
| 15:39 |
|
kivilahtio |
jcamins: are you sure you must use js to submit forms? |
| 15:40 |
|
kivilahtio |
jcamins: I guess, since the SAML2-requests must originate from the user, not the server being accessed |
| 15:40 |
|
kivilahtio |
jcamins: but this is no different from Koha's login page? |
| 15:41 |
|
kivilahtio |
jcamins: you load the front-page. While loading it, ask the idp if the user is authenticated. If not, instead of the login-for, display a login-via-idp-link |
| 15:41 |
|
kivilahtio |
*instead of the login-form* |
| 15:42 |
|
kivilahtio |
there is an extra step for the user tho, but after the extra step, it is SSO everywhere |
| 15:42 |
|
kivilahtio |
but yeah. You do have a point. |
| 15:43 |
|
kivilahtio |
isn't this the same with OAuth? |
| 15:43 |
|
kivilahtio |
user is redirected to the auth-server where he gives the permissions for the 3rd party to act on his behalf? |
| 15:44 |
|
kivilahtio |
in SAML, he simply acts by himself |
| 15:47 |
|
kivilahtio |
jcamins: I wonder if you could redirect to the IDP via a http status 307... |
| 16:05 |
|
jcamins |
kivilahtio: something just occurred to me... you're not implementing the IDP. I imagine if I weren't working on the IDP side, I'd be a lot happier. |
| 16:15 |
|
kivilahtio |
jcamins: I found simplesamlphp |
| 16:15 |
|
kivilahtio |
jcamins: this is the reason why I am considering SAML2 |
| 16:16 |
|
kivilahtio |
we can have our own internal SSO using the nationally mandated standard |
| 16:16 |
|
kivilahtio |
then switch to the national IDPs when the time is ripe |
| 16:17 |
|
kivilahtio |
jcamins: but no. I am planning to use simplesamlphp as the idp. I managed to get it owkr and the php-code is something I can debug. |
| 16:17 |
|
kivilahtio |
owkr = work |
| 16:18 |
|
kivilahtio |
jcamins: have you worked on the idp-side? |
| 16:25 |
|
jcamins |
kivilahtio: we use a third-party vendor as IDP, but I've been substantially responsible for making everything work together from the application point of view. |
| 16:25 |
|
jcamins |
So dealing with implementation quirks, moving between applications, etc. |
| 17:17 |
|
|
jbeno joined #koha |
| 18:08 |
|
|
Dyrcona joined #koha |
| 20:33 |
|
|
jbeno joined #koha |
| 22:03 |
|
|
stozza joined #koha |
| 22:17 |
|
|
stozza joined #koha |
| 22:27 |
|
|
stozza joined #koha |
| 23:17 |
|
|
stozza joined #koha |
| 23:19 |
|
|
alexbuckley joined #koha |
