đź‘‹
Good morning!
mogge
Hello!
good morning!
morning!
Good morning!
Morning
Morning
morning
Fun babashka script to print API breakage warnings: https://gist.github.com/borkdude/ba372c8cee311e31020b04063d88e1be
That is pure beauty, @borkdude.
Morning. I spent the whole day learning about Azure Active Directory, SAML and SCIM provisioning. The corporate world is so complex at times, but if you have 10000 employees to manage I guess it’s a hard problem to solve.
@orestis I really want to get going on SCIM, it looks like it would solve some use cases for us.
SAML, in my experience has been quite ok to work with.
If I were to do our saml stuff now, I would very much considered using one of the java libs, like the stuff from one-login or whatever4j, eh pac4j
I looked into SAML recently too and ended up making a mini-library for Pedestal to spawn SAML-authenticed web services. It just uses the metabase saml20-clj lib (which uses whatever library shibboleth-sp uses). I initially looked at Shibboleth-sp, but my brain starts taking an unplanned vacation whenever I start reading the documentation of a big Java project. Also, personally, whenever I have to start making lots of XML files and replicate certain folder structures to get basic functionality, I feel like I’m erasing important connections that would otherwise exist in my code. I tried integrating my prototypical SAML service with a Danish IdP just before Christmas and everything worked great! Hadn’t heard about SCIM - will need to check it out. My SAML studies did make me aware of OpenID connect which is apparently some standard that is equivalent to SAML, but more recent and more friendly towards API login flows or something.
I’ve used the metabase saml library for a proof of concept. I will need to do a full review and perhaps an internal security review first though. The moment we pull the trigger on re-doing our SSO work we’ll probably do a more thorough review of things like pac4j too — but I share @simongray’s vacation brain when I’m looking at big Java projects.
SCIM is not equivalent to SAML; it’s a protocol for a directory to synchronise users and groups to another. For example Active Directory would periodically call various rest-like HTTP endpoints on our server to add/update/remove users and groups.
@slipset there’s a clojure library that implements the SCIM patch semantics. I only care to implement Azure AD compatibility for now so I might release a tiny library that just cares for that, probably a set of ring handlers or perhaps even lower level.
ohhhh, that would be very interesting.
@orestis we’re using the metabase saml lib, which is a lot better in v2 than in v1 (or whatever the previous was)
Also using v2 here.
Yeah clj-saml v2 seems small enough to actually read through entirely. The heavy lifting is done via some java lib anyway.
FYI, I added a PR to onelogins java SAML stuff, so it should in theory be possible to use that relatively simply from JAVA.
I haven’t followed clj-saml closely the last couple of months, but there are still some “problems” with it.
Not that serious, but still things that should be fixed for it to be rock solid.
We should put some TLC on those libraries.
We’re committed to do SCIM in first half of 2021 so probably someone from Nosco is going to be working in that space.
https://github.com/metabase/saml20-clj/issues/48 comes to mind.
This bug is really annoying too: https://github.com/metabase/saml20-clj/issues/27
Cam was very responsive and quick when I first approached him with the problems in the version 1, then it seems as if he got other priorities.
he basically rewrote the lib over a weekend.
Looking at his github profile, seems like he’s doing all of the Clojure development at the company…
Not really, there are others, like Simon Belak, and some others.
Still, seems like he’s got his hands full 🙂
That I believe.
Anyways, dinner time, have a great weekend!
you too
Same here. God weekend!
God weekend 🙂
good night...