While I was using up some spare cycles a while ago, I wrote a simple RSS parser in C, using libcurl but rather than start up the PC and use VisualStudio, I decided to use Eclipse Ganymede instead. The documentation was almost non existent so it took a while to set up the C project but in the end it was fairly easy. Just create a new C/C++ project and add the curl path to Properties -> C/C++ Build -> Settings:

Looks like the SOA based provisioning project may be back on the cards but in a radically different form as IDM is looking too expensive to implement. However, the first task is to develop version 2.0 of the Siva system. I’m getting the notion to port the whole lot to C++. A third of it is in C++ already as Groupwise only has a COM interface to its admin functions, while the rest is in Java. I originally wrote the COM module as an exe as I thought it might be useful as a standalone app but that hasn’t proved to be the case. That means that Java has to load the exe on every account creation, which means the entire COM startup process is executed for every account, pushing the average creation time to around 50secs. (more…)

Well that’s it. A long hard road indeed. I’ve shifted from Ant to Maven for all modules and added Spring to the IdP and Engine which means they now have configurable jobs for loading metadata as well as pluggable metadata and trust layers. There’s full end to end SSL support and Shibboleth trust implementation based on various metadata verification profiles. Guanxi is fully compatible with the UK Access Management Federation as well as the Internet2 Shibboleth reference implementations of the Shibboleth SAML Profile. The Guanxi IdP and SP (Engine and Guard) are currently live in the UK federation.

For more information on Guanxi, head on over to the wiki. You can download Guanxi from the sourceforge site and there’s a bit of news on the release on slashdot.

Guanxi 2 provides a stable and extensible platform for Shibboleth and SAML support. One of the next development cycles will be to support SAML2 profiles and perhaps look at supporting other protocols such as OpenID.

In the meantime I’m off to lie down and have some cakes.

This was all fairly simple before I moved to maven. I wrote a fairly lengthy Ant task that would gather together CVS tags and make binary and source releases of the software. With the switch to Maven I could now use:

mvn release:prepare -DdryRun=true -Dusername=USERNAME
mvn release:clean release:prepare -Dusername=USERNAME (more...)

Just saw this interesting quote from The Endevour on Lines of Code (LOC):

“…inexperienced and experienced programmers write about the same number of lines of code per day. The difference is that experienced programmers keep more of those lines of code…”

I recently wrote a small app to to generate an RSS feed from various “learning objects” on a server in four different languages in a day. Java, Python, Perl and C. Just for a laugh. I gave up on Ruby as my Mac doesn’t like Ruby for some reason but I’m thinking of refreshing those parts of my brain that used to code in assembler. My favourite version? The C one, just for the nostalgia!

You’d think one version would be enough but just goes to show that if experienced developers have time on their hands the LOC can go through the roof. “I’ve got this thing wee thing to do before the big kickoff meeting tomorrow but I’ve just finished the wee thing. What can I do now?”

In the run-up to the 2.0 release, I added some new functionality to the attribute mapping capabilities of the IdP. You can specify a wildcard mapping for all service providers but perhaps you don’t want two or three of them sharing in the fun. Now you can exclude them:

<provider providerId="*">
  <mapRef name="urn:mace:dir:attribute-def:eduPersonTargetedID"/>
  <mapRef name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation-member">
    <except>urn:mace:eduserv.org.uk:athens:federation:uk</except>
  </mapRef>
</provider>

The above snippet from map-providers.xml says the IdP should apply the “urn:mace:dir:attribute-def:eduPersonTargetedID” map to all service providers and the “urn:mace:dir:attribute-def:eduPersonScopedAffiliation-member” map to all service providers except “urn:mace:eduserv.org.uk:athens:federation:uk”. This basically means release eduPersonTargetedID to all service providers and eduPersonScopedAffiliation with a scope of “member” to all service providers except OpenAthens. (more…)

5 years ago I developed a provisioning system that links SITS student record system to Novell eDirectory, NDS and Groupwise. The architecture is shown below:

While I was implementing the final piece of the puzzle for Guanxi2, I came across an interesting problem to do with verifying the signature on the UK Federation metadata. I just couldn’t verify the signature on it. First, let me get one problem out of the way. There’s a C14N bug in xml-security 1.4.0. 1.4.1 and 1.4.2 are fine but 1.4.1 fails to verify the signature. So I upgraded to 1.4.2 and that was ok. I then refactored the test code into the main Guanxi code and it failed to verify again. Here’s why. (more…)

After some thought and conversations it seems that LDAP triggers are no use as you can’t guarantee the triggered code will be run (it might be offline). Also, I investigated LDAP listeners in eDirectory but they only live for the life of the listener connection, so again they’re not much use for reliable messaging. So I’ve modified the original architecture a bit, to feed the broker directly from IDM and hive off the LDAP server into someone else’s space. There’s a bit of a debate about how it should be structured internally. Should CNs have long lists of memberships or should there be huge lists of group objects? Not a topic I have much interest in to be frank. Decisions like that should be based on how the container is going to be used. At the moment, the current eDirectory is used mainly for authentication and extracting attributes for a known CN. AFAIK there are no requests to find everyone on module MOD101. Those queries are the preserve of SITS. So here’s the new architecture:

We’re getting ready to apply shibboleth a little more deeply, where we need to group resources from a single supplier based on institutional affiliations. UHI as a whole subscribe to certain resources at a supplier, while partner colleges, such as Perth College, in addition to their UHI resources, subscribe to extra resources to which only Perth users should be granted access. This is an ideal use for eduPersonScopedAffiliation. Our IdP can assert scopes of “uhi.ac.uk” and “perth.uhi.ac.uk” if required. (more…)