I haven’t been very vocal lately, because I have been busy…

Satpin

I have been working on Ian Addisons new project now called Satpin (something to do with phonics according to Miss Pitkethly).  My Javascript skills have improved massively doing this project which I have enjoyed thoroughly.  Javascript is awesome.  I need a decent tutor though, I am cobbling my way through stuff using “John” logic which isn’t good enough.  Once the project is complete/stable I will be releasing it open source (it will require a LAMP stack).  I am spending masses of attention to detail on this project, more than I have ever done.  I’m focusing 99% of my efforts on UI.  I decided to make it writeable by anyone which will upset some people but oh well..

Wind power

I have been finishing the electrics on my wind turbine, which is now up and running (hopefully okay).  It’s been a while since I did any component level work and Sparky helped me which was good.

Apache load balancing

We spent a few hours working on how to improve load balancing on our main apache cluster.  We are considering casandra if we grow any quicker than our current projections.

Shib constipation

Mid week I struggled and I’m still struggling massively with a Shib SP deployment.  I’m running the same config as another deployment but I am getting errors.  Think this is a job for team john and tom to get sorted properly.  We are doing it so we can work with the Swedish equivalent of JISC for their Etherpad deployment.

Classdroid

We got classdroid working properly, well, sort of.  Turns out Android isn’t as cool as I first thought.  Well, android is..  Turns out motorola/lg etc. are idiots and install custom software including custom camera intents that breaks a lot of the phones functionality.  Thankfully google will fix this with any v2+ updates.  The LG Optimus is due V2.1 this month so I am willing to wait a few weeks instead of trying to squash a documented/fixed bug.

PHP

I helped Challenge CLC with a touch of PHP this week, super easy stuff.  It is always good to collaborate with people, especially when I am so comfortable helping out in PHP.

Etherpad

I did a few more edu installs of Etherpad, nothing exciting here.  Wrote a new way to integrate with the scribblar API.  Stefan has the code if anyone wants it.   Important thing to note, why the Hell are so many Americans and now Africans getting me in to do Etherpad deployments yet there are so few EU deployments going on?  Is their something about Europeans and our lack of encouraging collaboration in the work/edu place?

Finally.  Happy Pirates day!  Now gimme your loot.

Report This Post

Related posts:

1. bMoble Teachmeet 5:30pm 20th May @ Abundant Life Centre The bMoble Teachmeet will be at 5:30pm on the 20th...
2. Video: e-safety, never meet anyone in real life that you met online Report This Post...
3. Second Life or Virtual 3d Worlds in Primary Schools Naace are running a conference on using 3d virtual worlds...

Report This Post

Related posts:

1. Google Cloudcourse is not a learning platform "CloudCourse is a course scheduling system. ” — Google Code....
2. Great video that touches on Learning with Games Love the iPad gag at 17 minutes. He also shows...
3. Jaycut in the primary classroom – Video editing Recently when making my GTA application I checked out Jaycut....

One Social Web may make this a reality.  The purpose of One Social Web is to enable free, open, and decentralized social applications on the web. *Like Facebook but not owned by Facebook, owned by, well um, everyone!

Usually your school data exists only on your school server.  If your school server was integrated with One Social Web school pupils or teachers could easily be “transfered” to another school without losing any information, files etc. and/or be able to access their old school work whilst being access to connect their new file storage.

The One Social Web platform is based in London, UK and has developers all around the world.  The platform is completely open so anyone can contribute and privacy settings are managed on a per user basis.

It would be interesting to see the first school deployment of this, I certainly hope I will get the opportunity to tie Primary School Teaching into the platform!  It would also be interesting to debate how One Social Web can work with Shibboleth providing not only single level accessibility but accessibility at an organizational level.

Related articles by Zemanta

• Open Facebook Alternatives Gain Momentum and $115K (wired.com)
• Forget Google Buzz — Promote OneSocialWeb (ibeentoubuntu.com)

Report This Post

Related posts:

1. Is Email a form of Social Media #edchat Yes it is. Social media are media designed to be...
2. What version of what operating system is your school curriculum server currently running? [poll id="3"] I’m curious to see how many schools have...
3. Primary Technology Marketing Video about to go live. How did I make it? Just a quick set of answers and a copy of...

Firstly I need to get my SP working.
Configure SP & Apache initially..
I need to configure Tomcat to use Shibboleth for Authentication configure Jetty to use Shibboleth Authentication.
Once this is done I will have the users attributes as environment variables.

Now I have the variables I need to create a script to check the variables and create an account if required.  All sounds pretty simple right?  Let’s hope so, as I make progress I will document my changes.

I’m referring to the LDAP plugin patch code for how to handle “talking to etherpad”.

ETA is 3/4 weeks.  Sucks that I need to use Apache but oh well!!

Note:  Etherpad runs on Jetty, not Tomcat and doesn’t require Apache.  It is the shibboleth element of this that requires Apache to operate.

Note:  Thanks to nuba for reminding me about Jetty.

Report This Post

Related posts:

1. Installing shibboleth SP 2.3 on CentOS Press y 3 times. Done. Proceed to configuration.. Report This...
2. Why is my shibboleth IDP so slow to accept the first connection? When I create my first connection to my shibboleth IDP...
3. How to kill a shibboleth session Kill an SP session with a HTML redirect: <meta http-equiv=”REFRESH”...

patch -p1 < ldap_support.patch

Report This Post

No related posts.

The documentation on googles site isn’t very clear so here are some step by step instructions.

Before you even make a start, backup ALL of your IDP configuration files.

PreReqs:

Firstly complete the steps documented beautifully by Will Norris – Do the config for any school, we are just doing this to make sure you have a working IDP.

Test the above config changes by browsing to http://apps.SchoolA.com where SchoolA.com is the domain of the school you have configure google apps for. A usual misconception new users have about google apps is that it will create user accounts when you first login. This is not true. Your user account name on google apps must match the value being passed by the IDP. I have written a perl google apps provisioning tool, get in touch if you want it.

It worked? Great! If not, don’t continue. Get Will’s configuration working first then continue.

Now let’s get started configuring your IDP to allow multiple organizations to authenticate to Google Apps.

1. Log into your google apps admin account at http://google.com/a/SchoolA.com

2. Click Advanced tools – Set up Single Sign on – Tick Use a domain specified issuer

You are done in Google Apps. Congrats.

3. Ssh into your IDP

4. Is your Google Metadata located at /opt/shibboleth-idp/metadata/google-metadata.xml ? It should be, if not, modify the below guide to suite your paths. It will make sense..

5. Edit /opt/shibboleth-idp/metadata/google-metadata.xml to read

<EntityDescriptor entityID="google.com/a/schoola.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoola.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

6. Copy google-metadata.xml to google-metadata2.xml

7. Edit /opt/shibboleth-idp/metadata/google-metadata2.xml to read

<EntityDescriptor entityID="google.com/a/schoolb.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://www.google.com/a/schoolb.com/acs" />
</SPSSODescriptor>
</EntityDescriptor>

8. Edit /etc/shibboleth/relying-party.xml

9. Smile

10. Make me a cup of tea

11. Replace the entire Relying Party section for the google connectivity. After you are done it should read something like…

<RelyingParty id="google.com/a/schoola.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>
<RelyingParty id="google.com/a/schoolb.com"
provider="https://idp.youridp.com/idp/shibboleth"
defaultSigningCredentialRef="IdPCredential">
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" encryptAssertions="never" encryptNameIds="never" />
</RelyingParty>

12. Search for Google.com again – look for the MetadataProvider section

13. Copy and paste the first reference replacing .xml with 2.xml, change the second schools id value to GoogleMD2, it should read something like this:

<MetadataProvider id="GoogleMD" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata.xml" maintainExpiredMetadata="true" />
<MetadataProvider id="GoogleMD2" xsi:type="FilesystemMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
metadataFile="/opt/shibboleth-idp/metadata/google-metadata2.xml" maintainExpiredMetadata="true" />

Congrats, you are done in relying-party.xml!

14. Edit /etc/shibboleth/attribute-filter.xml

15. Search for google.com

16. Edit the value to read “google.com/a/schoola.com”

17. Copy and paste the policy, replace schoola.com with schoolb.com in the new policy.

It should read:

<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoola.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="google.com/a/schoolb.com" />
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>

18. I restarted tomcat using the ./Shutdown ./Startup script to test and it worked fine. Test by browsing to http://apps.schoola.com/(assuming you have this cname set). If you have problems please check that you replaced schoola.com and schoolb.com with your domain and also your IDP references.

Report This Post

Related posts:

1. Testing your Primary School Google Apps Education Edition Configuration You can test your different Google Apps by accessing the...
2. Troubleshooting Google Apps and Shibboleth If you receive an “invalid email” error or invalid user...
3. Are Google planning to put Google Wave into Google Apps? Google Apps is becoming more and more popular in schools,...

]]> http://mclear.co.uk/2009/11/21/shibboleth-idp-configuration-for-multiple-organizations-google-apps/feed/ 7 http://mclear.co.uk/2009/11/11/how-to-kill-a-shibboleth-session/ http://mclear.co.uk/2009/11/11/how-to-kill-a-shibboleth-session/#comments Wed, 11 Nov 2009 23:35:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2009/11/11/how-to-kill-a-shibboleth-session/

Kill an SP session with a HTML redirect:

<meta http-equiv=”REFRESH” content=”0;url=https://shib.example.org/Shibboleth.sso/Logout”>

Kill an SP session by visiting a URL:

https://shib.example.org/Shibboleth.sso/Logout

Kill an IDP session:

Single Log off is not fully supported in Shibboleth, it is recommended you redirect a user to a page requesting they close their browser window.

Note: Don’t forget to replace example.org with your domain

Report This Post

Related posts:

1. How to kill zombies -_o So you have a zombie process, in my case varnish...
2. Shibboleth WAYFless URLs UKFederation Shibboleth is a single sign on method used by UK...
3. Testing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs Part 4. Testing (2 hours) Shibboleth can be started using...

]]> http://mclear.co.uk/2009/11/11/how-to-kill-a-shibboleth-session/feed/ 0 http://mclear.co.uk/2009/11/07/installing-shibboleth-sp-2-3-on-centos/ http://mclear.co.uk/2009/11/07/installing-shibboleth-sp-2-3-on-centos/#comments Sat, 07 Nov 2009 03:42:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2009/11/07/installing-shibboleth-sp-2-3-on-centos/ cd /etc/yum.repos.d/ curl -O http://download.opensuse.org/repositories/security://shibboleth/CentOS_5/security:shibboleth.repo yum install shibboleth.i386

Press y 3 times. Done. Proceed to configuration..

Report This Post

Related posts:

1. Installing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs Internet 2 give some “creative” documentation for this procedure so...
2. CentOS Netinstall 5.4 ISO installation Iv’e had to install CentOS 10+ times today and I...
3. Testing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs Part 4. Testing (2 hours) Shibboleth can be started using...

]]> http://mclear.co.uk/2009/11/07/installing-shibboleth-sp-2-3-on-centos/feed/ 1 http://mclear.co.uk/2009/11/03/why-is-my-shibboleth-idp-so-slow-to-accept-the-first-connection/ http://mclear.co.uk/2009/11/03/why-is-my-shibboleth-idp-so-slow-to-accept-the-first-connection/#comments Tue, 03 Nov 2009 17:03:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2009/11/03/why-is-my-shibboleth-idp-so-slow-to-accept-the-first-connection/ When I create my first connection to my shibboleth IDP it takes 30 / 40 seconds for tomcat to serve the login page.

At first I expected that my tomcat memory allocation / heap space value wasn’t being applied but my ps aux | grep java showed:

/usr/lib/jvm/java-6-sun/bin/java -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -Xmx512m -Djava.endorsed.dirs=/opt/tomcat/common/endorsed -classpath :/opt/tomcat/bin/bootstrap.jar:/opt/tomcat/bin/commons-logging-api.jar -Dcatalina.base=/opt/tomcat -Dcatalina.home=/opt/tomcat -Djava.io.tmpdir=/opt/tomcat/temp org.apache.catalina.startup.Bootstrap start

I could see above it wasn’t using enough memory so I edited /usr/share/tomcat5.5/bin/catalina.sh and under JAVA_OPTS I added: -Xms256m -Xmx1024m -server -XX:+AggressiveOpts -XX:MaxPermSize=512m

It now reads:

JAVA_OPTS=”$JAVA_OPTS “-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager” “-Djava.util.logging.config.file=”$CATALINA_BASE/conf/logging.properties -Xms256m -Xmx2048m -server -XX:+AggressiveOpts -XX:MaxPermSize=1024m”

I used the ./shutdown.sh script provided with tomcat to shutdown tomcat and then the ./startup.sh script to restart. Tested and performance was massively improved after a 5 minute start up wait.

Use tailf /var/log/shibboleth/idp-process.log to watch the log file to check for startup completion.

Click here for more information on how to Productionalize your IDP

Report This Post

Related posts:

1. Etherpad with Shibboleth Authentication (Technical document) I want to login to Etherpad with my UK federation/Shibboleth...
2. Success: optimizing the Etherpad Java VM After weeks of tweeking i finally found an environment that...
3. Testing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs Part 4. Testing (2 hours) Shibboleth can be started using...

]]> http://mclear.co.uk/2009/11/03/why-is-my-shibboleth-idp-so-slow-to-accept-the-first-connection/feed/ 0 http://mclear.co.uk/2009/11/02/shibboleth-cert-miss-match-with-uk-federation/ http://mclear.co.uk/2009/11/02/shibboleth-cert-miss-match-with-uk-federation/#comments Mon, 02 Nov 2009 18:55:00 +0000 Admin Admin http://mclear.primaryblogger.co.uk/2009/11/02/shibboleth-cert-miss-match-with-uk-federation/
I’m wasn’t sure how this happened but this error appeared in my SP:

2009-11-02 15:39:30 ERROR OpenSSL [3]: path validation failure: self signed certificate

2009-11-02 15:39:30 ERROR XMLTooling.SOAPTransport.CURL [3]: supplied TrustEngine failed to validate SSL/TLS server certificate

2009-11-02 15:39:30 ERROR Shibboleth.AttributeResolver.Query [3]: exception during SAML query to xxxxx AttributeQuery: CURLSOAPTransport failed while contacting SOAP endpoint (xxxx): SSL certificate problem, verify that the CA cert is OK. Details:

2009-11-02 15:39:30 ERROR Shibboleth.AttributeResolver.Query [3]: unable to obtain a SAML response from attribute authority

Note: I replaced my IDP paths with xxxx for the purpose of this post.

I got in touch with the UK Federation asking if they could shed any light on the problem.

It turns out that this was due to my IDP information not being correct at the metadata end. I notified the UK Federation and they updated my record and republished their metadata and it started working again

Thanks to Sara for helping out with this.

Note: was the value that wasn’t changed at federation level.

Report This Post

Related posts:

1. Testing Shibboleth SP 2 on CentOS to the ukfederation w/ Godaddy certs Part 4. Testing (2 hours) Shibboleth can be started using...
2. Shibboleth IDP configuration for multiple organizations & Google apps So you want to configure your IDP to allow logins...
3. Shibboleth WAYFless URLs UKFederation Shibboleth is a single sign on method used by UK...

]]> http://mclear.co.uk/2009/11/02/shibboleth-cert-miss-match-with-uk-federation/feed/ 0