Re: [Bodington-developers] SP testing on wiki

[Colin T. <col...@ou...>]

Alistair Young wrote:
>>different login route for Shibb isn't as good as a Shunnel(!)
> 
> they're the same! a shunnel (cringe) is just another route into an  
> app via shibb. In this case it's a different url, /site/ 
> bs_template_shibb_login.html or something.

I thought a shunnel (AY cringes) was a single page where users have to choose the login method, i.e. 
at the *same* URL as any other login point...

> the issue is that the SP is too "invasive" for normal use. It can't  
> be used in a production bod as when it's turned on, all users must  
> login via it or via /opensite and when it's turned off they have to  
> revert to using the normal login in /site.

Yes, I understand that, but why is it so much work to change that behaviour, so that normal users 
login via /site/ and Shibb users via /xyz/? Then, whether it's turned on or off makes no diff to 
normal users...

> The code can stay in head and won't delay 2.8.

OK, I though someone had suggested that it had to be removed...

> What will delay 2.8 is  
> waiting for a shibb url to be implemented so that bod can be  
> advertised as an sp in 2.8
> 
> Alistair
> 
> 
> On 5 Jul 2006, at 13:58, Colin Tatham wrote:
> 
> 
>>Although I agree with most of what you say (I think) it doesn't  
>>seem to address what I was
>>suggesting/asking? (Maybe it wasn't supposed to :-) )
>>
>>1) Can the SP bit be turned off by default, or re-configured so  
>>that the *Shibb* route is via a
>>different URL?
>>2) Is the SP code already in HEAD?
>>
>>Although I agree having a different login route for Shibb isn't as  
>>good as a Shunnel(!) releasing
>>2.8 with different URL Shibb is better than not including it at  
>>all, especially if we have to take
>>the code out of HEAD?
>>
>>Colin
>>
>>Alistair Young wrote:
>>
>>>Let me clarify first, that the issue is with bod itself, not with
>>>what Atif has produced as a shibb module. I suspect the hand of
>>>politics involved and as we all know, developers are it's servants.
>>>
>>>It would seem that local demands have impinged upon the gx philosophy
>>>of minimal disruption. e.g. the bod IdP runs without normal users'
>>>knowledge and the SP should do the same. We, the gx project as a
>>>whole, could have caught this earlier if we'd known about it but we
>>>didn't so we couldn't. As the gx project is not about custom coding
>>>to local demands then I would say it's fair to ask Atif or someone
>>>Leeds can nominate to remove the implications of those local demands
>>>and bring bod in line with the minimal philosophy.
>>>
>>>This means providing a separate shibb route into bod. We've seen it
>>>before with webauth etc so it's possible and is arguably the way it
>>>should have been.
>>>
>>>As it stands, it's unacceptable to change the way an institution's
>>>users work just so that a feature of the vle can be tested. When
>>>opening your vle to shibbed users means inconveniencing your own
>>>users, then we have failed. It's bad practice and bad publicity that
>>>will only harm bod in the long run.
>>>
>>>The Guanxi and SOCKET projects enjoy a symbiotic relationship so
>>>let's not disturb that. Instead, let's find a way out of this that is
>>>benficial to all concerned. Whether that means subcontracting to
>>>someone who knows enough about bod to implement this is a matter for
>>>discussion.
>>>
>>>Indeed, we know of someone who is currently available and is fresh
>>>from testing bod and has some shibb knowledge to boot ;)
>>>
>>>Alistair
>>>
>>>
>>>On 5 Jul 2006, at 12:57, Colin Tatham wrote:
>>>
>>>
>>>
>>>>Sean Mehan wrote:
>>>>
>>>>
>>>>>well, what it does mean is that
>>>>>
>>>>>1) GX isn't done, still;
>>>>>2) 2.8 will ship with no SP support unless we delay the 2.8 release
>>>>>for an indeterminate amount of time.
>>>>
>>>>Are the problems with the SP that bad that we remove it for 2.8?
>>>>I think the main one is the fact that you can't use the same login
>>>>route for Shibb and normal Bod
>>>>auth (and the fact that sysadmin has to go via /opensite/). If it's
>>>>possible to release it with the
>>>>SP stuff turned off, it will work as normal, and if people want to
>>>>test the SP, they follow some
>>>>short instructions to enable it (and find out that they have to now
>>>>login via /opensite/ as sysadmin)?
>>>>
>>>>Colin
>>>>
>>>>
>>>>
>>>>
>>>>>If it is the case that we still haven't finished GX (with the SP in
>>>>>bod being a component of that), then, I suppose that we are  
>>>>>beholden
>>>>>to Leeds to find the time for
>>>>>their current project, which is still giving them money, in  
>>>>>order to
>>>>>complete a project for which they received all of their money some
>>>>>time ago.
>>>>>
>>>>>As for 2, all things being equal, its a ++2 from me to ship Bod 2.8
>>>>>with no SP support.
>>>>>
>>>>>s
>>>>>
>>>>>
>>>>>On 5 Jul 2006, at 12:13, Alistair Young wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>nae probs wee man!
>>>>>>
>>>>>>On 5 Jul 2006, at 12:16, Atif Suleman wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>Thanks Alistair for the feedback:
>>>>>>>http://www.bodington.org/wiki/index.php?
>>>>>>>title=TestRel2.8#Shibboleth_Functionality
>>>>>>>
>>>>>>>Any work on bodington-sp will have to wait until Socket  
>>>>>>>project is
>>>>>>>finished at the end of the month.
>>>>>>>
>>>>>>>Ta
>>>>>>>Atif.
>>>>>>>
>>>>>>>
>>>>>>>Sean Mehan wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>On the SP side, Atif, can you fix the things Al has found there,
>>>>>>>>including the documentation? We really need the SP to work as a
>>>>>>>>final
>>>>>>>>output for GX.
>>>>>>>>
>>>>>>>>Thanks,
>>>>>>>>S
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>On 5 Jul 2006, at 10:38, Alistair Young wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>I've updated the testing page:
>>>>>>>>>http://www.bodington.org/wiki/index.php?
>>>>>>>>>title=TestRel2.8#Shibboleth_Functionality
>>>>>>>>>
>>>>>>>>>Good work Atif on the sp module but bod itself just isn't ready
>>>>>>>>>to be
>>>>>>>>>an sp IMHO.
>>>>>>>>>
>>>>>>>>>Alistair
>>>>>>>>>
>>>>
>>>>-- 
>>>>____________________________________
>>>>Colin Tatham
>>>>VLE Team
>>>>Oxford University Computing Services
>>>>
>>>>http://www.oucs.ox.ac.uk/ltg/vle/
>>>>http://bodington.org
-- 
____________________________________
Colin Tatham
VLE Team
Oxford University Computing Services

http://www.oucs.ox.ac.uk/ltg/vle/
http://bodington.org