Down and dirty with OpenID

I’ve spent the last few hours (after getting home from a swift pint in the pub admittedly) having one of those satisfying coding experiences where the dots just start joining up… I took the very nicely written OpenIDenabled PHP library and bolted it on to the authentication routines for PROD.

The technical principles behind OpenID are simple enough: the user tells your application their openid URL, the app asks the relevant provider if everything is ok, the provider comes back and tells the app a whole bunch of stuff saying that the user is kosher (or halal or whatever it says in their profile).

The latest version of the toolkit made this a breeze – coming as it does with working examples and very well documented code. Most of the work was putting in a few new hooks in my authentication script to catch both ends of the transaction, copying and pasting some code from the example scripts to create the consumer object and set it flying and finally catching the response at the end and telling my application that the user is now logged in.

As with most quick work there is still quite a bit tidying up to do – particularly around how I associate existing users in the LDAP directory with their OpenIDs… At the moment I’m just not bothering. Useful error messages would probably be a good idea too! Testing it with a few different providers is also a must.

One gotcha I discovered was that at some point the exact recipe for doing Delegation must have changed and that the library is more fussy about this than other implementations I’ve seen and used. When testing using my own domain’s delegation which I’ve had set up for years it was consistently failing. This is not good news as there are probably thousands of people who still have it set up exactly as I did…

Another (Ubuntu specific) issue was that it was failing to authenticate against yahoo’s service because I was missing some bits of openssl… This was fixed with a quick sudo apt-get install openssl ca-certificates

Now I’ve had a few brushes in recent months with OpenID mainly around the web provision for the XCRI project – where we got OpenID working across WordPress, Mediawiki, and (through some rather cheap hacking) BBpress. It was however reliant on plugins for said apps and never really a very satisfactory experience – generating a long string of complaints from users getting very variable results depending on which provider they were using. Upgrading any particular component of the site seemed to just lead to more chaos.

Sadly I think that these variable experiences do rather detract from the potential that OpenID has to help us all better manage our online identities. That and the insistence of so many “providers” like Yahoo! and that they are just that, providers and not consumers. I’ve already got about 6 OpenIDs on the go without really realising – useful for testing but the exact opposite of the single authentication service goal. Tsk tsk.

Anyway… Now that I’ve actually tackled the problem at a slightly deeper level I’m feeling confident that over time we can not only iron out XCRI’s woes but also introduce OpenID across the JISC CETIS (and IEC) services in a reasonably robust way. The future looks rosy, the sky is blue, thunderclouds? What thunderclouds?

TOGAF: fetch me a 27b stroke 6

I’ve been attending a course on The Open Group Architecture Framework or TOGAF down in London. The aim of TOGAF is to provide a methodology for effecting change in the IT capabilities of an organisation by taking a consistent (though perhaps rather top-down) approach to structuring everything through analysing the business needs and processes…

The course run by Architecting the Enterprise was pretty power-point-heavy and by the end of the first day we were all getting pretty sleepy. There was plenty of terrible clip art and bullets bullets bullets. The second day was slightly better as we were all that little bit more awake but still there was a general consensus that the balance could be more on the workshopping of the case-study as a means to teach the method rather than the endless transmission. They are doing the job of giving us an understanding of the methodology – my criticism is simply a question of style.

The first principle of TOGAF is to put in place an architecture process – or Architecture development model – mapping out the business needs, applications, data and infrastructure which go to make things work. Simply thinking about the architecture you’re planning to put in place, who the stakeholders are, scoping it out sensibly, getting the right solutions and planning the migrations in a structured, iterative manner, considering risks etc etc should clearly help organisations to run a more efficient and tight ship in terms of alignment of IT with the actual business needs. The daisy below shows the model, each petal representing a core element of the process, all feeding the central requirements. In this diagram one petal is expanded to show the sub-process within….

Togaf’s Architechture Development Model (as exploded by

The question for us in Education is of course how does this gel with the constraints in which we work – how we get the buy in from both the top and bottom of the organisation to such an approach. Can it be applied in a more light-weight way, how do we deal with the technological shanty-towns that exist in academia. Ultimately we figured out that going through the initial stages of the methodology would probably serve to expose a lot of cultural issues and barriers to change within the organisation.

By way of context, the other participants of the course are mostly working on JISC Enterprise Architecture projects and actually have responsibility for applying these things in their own organisations.

There are a range of certified modelling tools for TOGAF – but it should be noted that there are other “un-certified” tools which could concievably be used to model and manage the togaf process. As ever with these kind of things they will all havetheir specific uses, affordances, personal fans, strengths, weaknesses and so forth. We were not given a specific push towards one tool within the training course but we were given some criteria by which to evaluate them; Core questions – does it support the ADM process, deliverables, models and how the tool handles import/export and extensibility. Most significantly though is probably usability and cost of ownership – which varies wildly across the available products from circa $100 per seat to thousands and thousands.

To be continued…

JISC Conference 2007

I’ve been at the JISC Conference in Birmingham. I skipped the opening keynote opting to sit around the CETIS stand talking to colleagues (wilbert/oleg/paul/osswatch etc) including discussing the potential for an improved project tracking system based on DOAP and what to do with the old e-Learning Framework – all of which is completely part of my work-plan for the next six months.

I mooched around the stands – picking up several good things like a small rubber armchair and a neat little 4-port USB hub. Thanks to the exhibitors whoever you are… but I then went and left the bag of goodies on a train! How silly is that. Fortunately it didn’t have anything of real importance inside.

The first session I went to was on The learners experience of elearning. Based on two ‘big’ studies it examined learners and their use of and attitudes toward learning technologies. The session felt like somewhat of a bedding down into the web2 mould – acknowledging that learners are mostly streets ahead of institutions in terms of their demand for online services as illustrated through blogs, myspace, msn, faceparty and that subverting these to educational ends is simply happening naturally.

One institution which has taken the bull by the horns and provided collaborative eportfolio-blogging services for the student body is Wolverhampton – through their use of Pebblepad. Emma Purnell, one of their recently qualified PGCE students came along to tell us all how she had caught the eportfolio bug and how it changed her learning – watch the video if you dare!

Next up, I went to a session about OpenAthens. In case anyone doesn’t know Eduserv is a firm charity which provides the Athens authentication service to many educational institutions and organisations, mainly in the UK. The commercial and open-source worlds are starting to get on their own personal identity bandwagons with offerings such as OpenID and Windows CardSpace. To deal with all this Eduserv have cooked up a framework of their own which (for fairly obvious reasons) they have called OpenAthens. It’s a re-working of their existing software and services only designed to work in a more heterogeneous environment. It includes libraries and plugins for client applications, administrative tools and plugable back-end services capable of interfacing with all sorts of different federations and federation methods including Shib, OpenID and all the rest of them. By all accounts it sounds pretty neat. The session was supposed to be a workshop and I thought they might just do a real demo to show how it works… but no this is another death-by-powerpoint moment. They did however point to their developer site for us to glean the full gorey details.

Finally the inspirational talk of the day was given by Tom Loosemore from the BBC. He runs their whole online operation by the sound of it and mercifully sounds like he really has his head screwed on. He outlined the scale of the BBCs electronic empire (thousands of sites) and took us through the 15 most important things you need to know about the web. It’s always heartening when someone just talks common sense and you can almost hear everyone in the room go “oh my, of course, how sensible”. You can of course read the commentary and see his 15 important things for yourself. Or read his blog which is currently violating rule #8 – hopefully to be rectified soon.