IT: Its controlled via SSO, everyone has access by default

Me: oh i'm sorry, you are correct, I don't have an error message on my screen saying I don't have access. I made it all up. Thank you, you may close the support ticket

So where to start... Let me preface this by saying I am a Software Architect for C# and do 99% dotnet development.

I just received a phone call from our Director of Development asking me to look at adding a feature for SSO with our companies main development project, which is written in PHP. I hope I made the correct changes but since I am not a PHP dev... I am not 100% confident in my code.

Now I am writing this as we are making the deployment Friday, December 29, 2017 at 5:00 pm. I should add that I am going on vacation for the next week.

So let me summarize... I am not a PHP developer, the non-PHP developer is making PHP changes on a Friday Night, and before a long weekend and before going on vacation.

I would like to point out that I said I was not 100% comfortable with this... but well this is what they wanted. I am not even sure what really to say about this though.

So I worked on getting a server ready for about 30 hours last week to be ready for a deploy on Monday Night (last night). Not only did I work on it for 30 hours, we had two other architects and a senior engineer working on it too. We got everything done Friday and it was ready to go with a simple cutover on Monday night.

The only thing left to do was deploy a link change Monday night on the existing landing page. My part was the backend servers and application that had the complicated SSO system and the other part was just a link to get to the SSO. I asked the person responsible for deploying the landing page's link if he was ready about a dozen times. He kept saying he was deploying X (the code name for the project deploy) and that is all he was doing.

Now jump to that night. They have decided that a single landing page wasn't enough and they were going to deploy a full CMS. Well no one knew what the hell was going on and they didn't realize that the landing page was hosted externally on another host. After arguing for two hours they delayed the deployment for multiple days. 24 hours later they are still trying to figure out the CMS on a host.

30 hours and four senior engineer's time wasted to get everything done for the deadline all to be canceled because of on jackass's lack of planning. WTF

Last week my company thought it would be a great idea to introduce a new sh*tty internal web portal that gives federated access to aws (instead of using our own accounts to assume dev roles like we used to do).

This broke a lot of sh*t that simply used to ask for an MFA token and used our practically permissionless accounts to assume a proper dev role. An MFA token that we'd enter directly into the terminal/tool. It was very seamless. But nooooooo we now have to go a webpage, login with sso (which also requires mfa), click "generate credentials," copy-paste those into terminal/creds file and _then_ continue our aws cli call. Every. Single. Day.

BUT TODAY I HAD ENOUGH.

I spent the entire day rewriting the auth part of our tools so they would basically read the cookie that's set by the web portal, and use it to call the internal api that generates the credentials, and just automatically save those. Now all we need to do is log into the portal, then return to the tool and voilà, the tool's also got access! Sure, it's not as passive as just entering an MFA token directly, but it's as passive as it gets. Still annoyed by this sh*tty and unnecessary portal, but I learned a thing or two about cookies.

NO FUCKING GOOD NIGHT FOR FLOYD.

THIS MULTI FACTOR AUTHENTICATION IS A FUCKING NIGHTMARE.

So my organisation uses some MFA app as an SSO to access any and everything. Fantastic. Absolutely wonderful. No VPN shit and one password to rule them all.

But, for some reason I accidentally deleted the app from my phone and as any normal human being would do, I also reinstalled the app.

Well, post reinstalling, the app does not detect the linked Org account.

I was cool, when I'll login, the system will throw a prompt to map the phone.

So I login to org URL from my machine and lo and behold, the URL says that MFA is already linked to the phone and I have to enter the Citrix type code to login.

But phone does not show the code because account is no longer linked and web does not have option to change/re-register the phone.

What the actual unholy fuck?????? Bloody retards. How am I suppose to get in now?

So after a Googling for a bit, a thread mentioned that this is most common issue faced by users with this MFA app. The only way to get this resolved is to contact your IT team.

Cool. Let's do that.

I opened the link to my IT portal and it asks me to login via SSO which is what I need help with in first place.

I can't login to Slack because fuckers ask SSO every time the app is exited. So no contact there.

Thankfully bastards allow Outlook so was able to drop a note to one of my team member, whom I connected recently and is very nice, asking her to help me sort this IT team.

If this is the most common use case then why the fuck not add a feature to help people overcome this shit?

And my IT team is absolute nuts. No other way allowed to reset the linking or connect them or any help links provided on login page.

Whoever was behind this design should be dipped in donkey shit and deep fried in pig urine.

I have a project at work that involves learning a bunch of AWS stuff and rewriting a couple credential-generating scripts. I don't even know what the ask is, apart from some high-level "make this SSO" so ... idfk.

I am so incredibly bored of it (and burned out in general) that I can't even look at it.

I would rather see how many times it takes to beat my head against the wall to make a hole than think about this ticket again.

"Oh, I thought you would find that fun" No. No I do not. I can't even bring myself to look at it anymore. "Well, try to push through it and get it outta here!" Ughhhhh

I hope Russia nukes the bloody company.

OMFG I don't even know where to start..
Probably should start with last week (as this is the first time I had to deal with this problem directly)..

Also please note that all packages, procedure/function names, tables etc have fictional names, so every similarity between this story and reality is just a coincidence!!

Here it goes..

Lat week we implemented a new feature for the customer on production, everything was working fine.. After a day or two, the customer notices the audit logs are not complete aka missing user_id or have the wrong user_id inserted.
Hm.. ok.. I check logs (disk + database).. WTF, parameters are being sent in as they should, meaning they are there, so no idea what is with the missing ids.

OK, logs look fine, but I notice user_id have some weird values (I already memorized most frequent users and their ids). So I go check what is happening in the code, as the procedures/functions are called ok.

Wow, boy was I surprised.. many many times..
In the code, we actually check for user in this apps db or in case of using SSO (which we were) in the main db schema..
The user gets returned & logged ok, but that is it. Used only for authentication. When sending stuff to the db to log, old user Id is used, meaning that ofc userid was missing or wrong.

Anyhow, I fix that crap, take care of some other audit logs, so that proper user id was sent in. Test locally, cool. Works. Update customer's test servers. Works. Cool..

I still notice something off.. even though I fixed the audit_dbtable_2, audit_dbtable_1 still doesn't show proper user ids.. This was last week. I left it as is, as I had more urgent tasks waiting for me..

Anyhow, now it came the time for this fuckup to be fixed. Ok, I think to myself I can do this with a bit more hacking, but it leaves the original database and all other apps as is, so they won't break.
I crate another pck for api alone copy the calls, add user_id as param and from that on, I call other standard functions like usual, just leave out the user_id I am now explicitly sending with every call.
Ok this might work.

I prepare package, add user_id param to the calls.. great, time to test this code and my knowledge..

I made changes for api to incude the current user id (+ log it in the disk logs + audit_dbtable_1), test it, and check db..
Disk logs fine, debugging fine (user_id has proper value) but audit_dbtable_1 still userid = 0.

WTF?! I go check the code, where I forgot to include user id.. noup, it's all there. OK, I go check the logging, maybe I fucked up some parameters on db level. Nope, user is there in the friggin description ON THE SAME FUCKING TABLE!!
Just not in the column user_id...

WTF..Ok, cig break to let me think..

I come back and check the original auditing procedure on the db.. It is usually used/called with null as the user id. OK, I have replaced those with actual user ids I sent in the procedures/functions. Recheck every call!! TWICE!! Great.. no fuckups. Let's test it again!
OFC nothing changes, value in the db is still 0. WTF?! HOW!?

So I open the auditing pck, to look the insides of that bloody procedure.. WHAT THE ACTUAL FUCK?!
Instead of logging the p_user_sth_sth that is sent to that procedure, it just inserts the variable declared in the main package..
WHAT THE ACTUAL FUCK?! Did the 'new guy' made changes to this because he couldn't figure out what is wrong?! Nope, not him. I asked the CEO if he knows anything.. Noup.. I checked all customers dbs (different customers).. ALL HAD THIS HARDOCED IN!!! FORM THE FREAKING YEAR 2016!!! O.o

Unfuckin believable.. How did this ever work?!

Looks like at the begining, someone tried to implement this, but gave up mid implementation.. Decided it is enough to log current user id into BLABLA variable on some pck..
Which might have been ok 10+ years ago, but not today, not when you use connection pooling.. FFS!!

So yeah, I found easter eggs from years ago.. Almost went crazy when trying to figure out where I fucked this up. It was such a plan, simple, straight-forward solution to auditing..

If only the original procedure was working as it should.. bloddy hell!!

Manager: You want a promotion? To senior? Ha. Well, build this web app from scratch, quickly, while still doing all your other duties, and maybe someone will notice and maybe they’ll think about giving you a promotion! It’ll give you great visibility within the company.

Your first project is adding SSO using this third party. It should take you a week.

Third party implementation details: extremely verbose, and assumes that you know how it works already and have most of it set up. 👌🏻

Alternative: missing half the details, and vastly different implementation from the above

Alternative: missing 80%; a patch for an unknown version of some other implementation, also vastly different.

FFS.
Okay, I roll my own auth, but need creds and a remote account added with the redirects and such, and ask security. “I’m building a new rails app and need to set up an SSO integration to allow employees to log in. I need <details> from <service>.” etc. easy request; what could go wrong?

Security: what’s a SSO integration do you need to log in maybe you don’t remember your email I can help you with that but what’s an integration what’s a client do you mean a merchant why do merchants need this

Security: oh are you talking about an integration I got confused because you said not SSO earlier let me do that for you I’ve never done it before hang on is this a web app

Security: okay I made the SSO app here you go let me share it hang on <sends …SSL certificate authority?>

Boss: so what’s taking so long? You should be about done now that you’ve had a day and a half to work on this.

Abajdgakshdg.

Fucking room temperature IQ “enterprise security admin.”
Fucking overworked.
Fucking overstressed.

I threw my work laptop across the room and stepped on it on my way out the door.
Fuck this shit.

Just a couple weeks ago I felt a bit like a hero.

My boss, who seems to have only a vague understanding of realistic deadlines, for once made an error that gave me more time than I needed, not less. I was working on a feature that other work would rely on, so some people had to wait to work on their own projects until I was done.

My boss said it would be done in two weeks, but the only reason why it would have taken that long was because I'd have to submit a ticket to our identity management team to set up the SSO integration with our identity provider, and their turnaround time is two weeks. Or it used to be, but they've actually gotten really fast recently, and as I'd actually grabbed this feature from someone else who had to take a few days off, he'd already gotten the SSO stuff taken care of in advance. My boss promised two weeks and I finished in two days. The shocked silence when they asked for a status update in our next meeting and I told them I'd just finished it was music to my ears.

Don't bother programming anything for us. We'll never use it. (I work at an IT help desk Technician at a school and this was from the IT director)

They now use 3 of my projects (one SSO authentication, another issue tracker, and the other inventory)

We are required to use corporate SSO for any authenticated internal websites, and one of the features they require you to implement is a "logout" button.

They provide a whole slew of specifications, including size and placement/visibility, etc. They provide an SSO logout URL you must redirect to after you take care of your own application logout tasks.

Makes sense... except the logout URL they provide to serve the actual SSO logout function broke over 3 months ago, and remains non-functional to this day.

Apparently I'm the first person (and perhaps one of the only people) who reported it, and was told "just not to worry about it".

So, we have a standing feature request to provide a button... that doesn't actually work.

Corporate Security - Making your corporation _appear_ more secure every day...

Other staff: I’m having trouble logging in to website A. My password doesn’t work.

[Me thinking: That’s weird. When I set up your account, the password worked. I told you to change it. So maybe you forgot your new password. We haven’t changed anything to about the login process.]

Me: I reset your password. [sends new password]

Other Staff: The new password doesn’t work. But I can log in with Google.

Me: 😶 Website A does not have sign in with Google. What website are you actually on???

I actually found a use for Outlook's scummy default behaviour to open links in Edge and not the default browser.

On my company laptop I mainly use Librewolf because it allows installing plug-ins despite group policy. I only use Edge for Azure DevOps and company portals because MS SSO doesn't work with Librewolf for some reason.

Because Outlook disregards the OS settings and uses Edge by default, MS software forms a sort of bubble, and I can freely set Librewolf as my default browser.

I hate ADFS and SAML... that is all.

My high school computer labs all had Macs and SSO for the students. I found out that they had remote login enabled on all of them.
Using CSSHX, I could log in to every computer in a room simultaneously, turn the volume all the way up, and make them sing.
I never tried any privilege escalation, so my capabilities were basically limited to that.
Still fun as hell to freak out everyone in a room all at once.

So, I'm the engineering leader of a startup. This year, the company hired new directors and with that a new CPO. We've been using Google Workspace and have all our infrastructure on GCP. We never had any trouble with Google products. We also have Google SSO configured in almost every tool out there.

Yesterday, the new CPO, sent me a request to change "just some dns" on the domain. Those "just some dns" were Microsoft 365 mx, cname and text records.

I asked him if he was planning to switch to MS.

He answered: "yes! The team (a new team of marketing) wants to use PowerPoint and Teams".

I don't know you guys, but I hate MS products. They're just bad.

So, yes, it seems that now I'm gonna waste my time switching and configuring everything with MS just because they don't know other tools that are way better than any MS product!

I tried to convince him, this wasn't a good move, but it seems my opinion equals zero at this company.

I just hate this type of product managers that always wants to reinvent the wheel to let others see that they are doing something important when they're not.

Also hate when managers make decisions without ever consulting the people that will be affected by those decisions... But I guess that's how it works in this world...

At my institution there is a sys admin that belongs to an entirely different department. They have their own systems on their own network, separated from ours. I do not care, nor do I mind at all, but this is the second time I've had to put their admin in his place.

The first instance was when we had a security firm gauge our systems for vulnerabilities etc. The one that they have was fine, but required some additional configurations on their Tomcat servers. The "sys-admin" contacted I.T (my department) in order to request assistance, the net manager was the one he contacted, and he told the dude that he is not familiar with the Tomcat environment that they have, but that I, the dev manager, would possibly give him some pointers. The net manager is my friend, and he knows how much of a dickhead I am, so he was careful in what he told him. So the dude calls me:
"Hey, I need some items fixed on my Tomcat servers, they told me you have to do it"
Me: "Who? those are your servers"
Him: "The net manager said that you would do it"
Me: "I am certain he didn't tell you that bud, no one here will take care of your servers, they are yours, I am not doing any configurations on your stuff, that is your job"
Him: "Can't you just do them?"
Me: "No, bye"

The little bitch escalated it to my department director, who told him exactly the same thing, the director did ask if I would be willing to assist, I told him no since even though his configurations were minimal, I was not going to put myself in the position to which that fucker's ineptitude would cause him to point fingers at me, director backed me up and told the fucker to deal with his own shit.

This year it came to my attention that not only do they have their owns servers, but their own SSO system. This moron contacted me, tagging VPS and such in the email to tell me that I had to configure his SSO because "they told me you had to do it". The same shit happened, but this time I put him on blast during a meeting and told him that as "sys admin" for his stuff it was his responsibility to deal with the SSO that they have, and to contact the vendor to ask for the specifications. In front of EVERYONE he asked me if I could do it for him, I fucking looooooooled and told him that he just admitted to not being able to do his job (for which he is paid handsomely) in front of the entire room of VPS. One VP asked me why I was not willing to help him, and I told the VP that it would be the equivalent of me taking his vehicle for services, it is not my vehicle, thus not my responsibility. The VP agreed and told the fucker to get on with it and do what I said: contact his vendor channels to figure it out himself since it was indeed his position.
Yet again he said that he didn't know about SSO configs and that he was "told that I would do it", everyone asked who the fuck told him that and he said that the vendor, they asked again how it was and he showed the message from the vendor telling him: "Have your SSO admin perform the following <bla bla bla bla>" they asked him who was the manager for the SSO that they had. He said that it was him. Then they asked him what logic made him believe that it should be me, he stated again "they told me it was him".

I could hear everyone's brains shortcircuiting as no one could believe someone would be this fucking dense.

I don't think he will continue to have his job for much longer. I understand not knowing something, and I would have been happy to give pointers since I do administer systems of that level, but I can't with the whole made up "they said he would do it"

Bitch who said that? just say that you want me to do it because you can't, I mean, I am still not fucking doing it, but damn. Fucking morons man.

I went to meet a client with our CTO. In the meeting we discuss the implementation of SAML SSO. Their SSO guys asked whether they need to build 2 trusts for our application because we have 2 modules that use SSO. Both the CTO and I were not sure because we did not have any prior experience of integrating SAML SSO. To act professional, we couldn't say we were not sure. So the CTO said we needed two trusts. I immediately added "We may only need one. Let us do a bit of investigation and confirm."
After the meeting I did the investigation and found out we really only needed one. So I sent out an email to tell the client, cc the CTO. 1 minute later I got the email from the CTO "why tell them one when I said two?". When it's an immediate response with only 1 line, I know I'm in trouble. So I called him and was ready to explain to him. I couldn't. Later I found out the time I was calling him, he was talking about this with the CEO.
I thought maybe I can explain to him when he's available. The next morning as I came to work, the CEO asked me to come to his office. He closed the door, and told me the first line the CTO told him the day before was "I want him (me) fired." I was so shocked. Having been working with the CTO for quite a while, I was surprised he said that without even communicating with me. Did I do something that wrong that you don't even bother to tell me what's wrong? I was not fired because the CEO at least asked what happened. He also understood I was actually making a better technical decision. But well, guess I shouldn't be making a decision when I had no power to. And even I believed the client heard my "let me investigate first" comment, the CTO didn't. I still got an unofficial warning. For that whole day because of the stress, I don't remember getting anything done.
Fuck that acting like profession and smart when you are not. I'd go down the path of becoming professional and smart instead. And fuck metting with clients. I'm a dev don't fucking dare to talk to me and get me fired. If you wanna talk, talk to the big guys who don't make us look bad like I did.
If you ask me today I still believe I haven't done anything wrong there. So fuck everything.

At my previous company, we used tools from all over the place. We switched between tools at will. Sometimes, some team would decide to use some tool while the rest of the company would use something else. The worst part was that there was no Single-Sign-On (SSO) either. Everyone would need to have an account on all of these said tools. It was chaos.

I realized that being integrated into one environment (even though would have the cost of a vendor-lock-in) was the best option to have because in that case, we wouldn't have to deal with operational hurdles like having integration from one tool to another. They would just come baked-in with the whole environment. That's how GSuite (formerly Google Apps for Work), Atlassian and other players succeeded - they gave a complete suite of services / software that integrated well with each other. You could jump back and forth between services without having to bother about integration with other tools. They'd all be there wherever you wanted them to be. Even cloud providers so that opportunity and built on it - Amazon Web Services (AWS), Google Cloud Platform (GCP), Kubernetes (in itself).

Another example is a company that used Jira, Confluence and Hipchat but for some dumb reason used Gerrit for their code review / hosting. Eventually, they realized that managing the integration with the Atlassian tools was far more expensive than getting bitbucket and migrating completely into the Atlassian environment.

It's always the integration that matters. Everything else is secondary.

Randomly one day, out of the blue:

Echelons: You now have Workspace, and it’s a requirement you use it. Make it successful because we paid and are paying a large dollar amount for it, and our competitors have reported success with it. We want email communications companywide eliminated by 50% within the first 60 days.

Management: Ok, excellent! We want to do XYZ.

Echelons: Nope, can’t do any of that.

Management: Ok, how about a, b, and c?

Echelons: Nope, nope, nope.

Management: Alright, let’s try 1,2, and 3.

Echelons: Nope, not possible.

Management: What can we do then? We need further direction at this point.

Echelons: One group for all departments, posts, and attachments only. PDF, .jpeg, .png files only. Everyone in the company must be registered within seven days and using the platform. Only mobile devices allowed.

Management: We have almost 10,000 employees, and the SSO aspect alone could take weeks and months.

Echelons: Insignificant as Facebook said it should be easy to deploy. Also, every post not created by admin will need to be manually approved and done so within 5-10 minutes after its submission 24/7, 365.

Management: Ok, solved. A little shaky, but it’s working. Can we increase the number of admins and moderators?

Echelons: Only 1700 employees have registered; the app has been up 14 days now? What’s wrong? Where’s the engagement? Effective immediately, all members of management must be creating and starting 4 to 7 posts daily, including weekends.

Management: Our registration process with the SSO client isn’t smooth and clean across all devices. We had to implement training to overcome this. Can we increase the number of admins and moderators? Can we make all members of management either administrators or at least moderator? Can we at least turn on live streaming and video formats?

Echelons: No! 10 admin and mods max. Yes to streaming and video.

Echelons: Progress update, please. Include ROI timeline and impactful usage data. This must to pay for itself in the first six months and continue to pay for itself long term, along with showing XYZ company-wide growth quarterly.

Echelons: Hello?

Echelons: Hello?

Having Workplace shoved down your throat has been an interesting experience. Anyone have any exciting ideas or examples to share on what they have utilized with Workplace and increased employee engagement?

The world of SSO (Single sign on) it's a real shit.

At start I tought its a pretty common feature that lots of people want, so there should be a lot of open source options for making a server and client libraries.

So far I've only found to libraries, written in java with a fucking big book instead of a simple documentation with billions of options and features but without a fucking guide to get it running and connect with a database.

It's that hard to write an easy manual with the steps to get it running instead a giant book with million's of technical terms and architectural details?

Why has authentication of web services to be so fucking complicated?
PAM, OpenID, LDAP, SSO...
Every fucking service supports something different and I have a hard time finding a decent tutorial on LDAP and the likes.

To all websites requiring at least one upper case, one lower case, one number, one special character, 25 emoji and 49 unicorns in the password when signing up.

If you say something is required, then your regex BETTER be checking ONLY for those things. You should not have hidden requirements for passwords that users are supposed to dream about and know. Especially if it's a super time-sensitive thing that they should have opened 2 Fridays ago.

I had to pull my hair out for 20 minutes (that felt like an hour) before looking at their code and reading their regex. The regex was different from what the page said the requirements actually were. What were they even thinking? 😑

The rest of everything related to this organization uses an SSO system, why can't they just use it? Isn't the whole point of SSO to avoid a different login for every tiny part of the system?

I wonder what the other less technically inclined people using the system are doing right now. Sadly, I have no way of letting them know.

I sincerely hope the dev that made that website faces the same thing while picking a password for creating an account somewhere else and realizes what he/she did.

I really needed to let it out.
I feel much better now.

Time to take out the stress ball :)

I've had a lot of jobs, and they've all employed some form of single sign-on. But all of them have required enough individual logins for various services that I had to maintain a full category for that employer in my keepass. Until now.

This company has, by far, the most comprehensive SSO I have ever seen. Perhaps it should not be surprising that it works so well, as it is 100% made in-house. But for a company of this size, that's an amazing achievement. It speaks to excellent planning, it seems to me.

Anybody else ever worked for a large company that had a truly unified SSO?

My workplace is still using xml based configuration, and non-spring boot projects.

So every spring boot tutorial I find feels like "Look at how easy you can get this running" and then it's just actually a toy you can't get into production.

Also it kind of bugs me that you need to be online to actually be able to initialize/create a spring boot project and every single tutorial says so.
You can make a local network m2 repository, but can one make a spring initializer service?

Either way, migrating every single project to Spring boot is a no-no,

And I'm stuck with like 5 prototypes of SSO integration from which only 2 work, and the other 3 have their own problems.

One does redirect to the login and all, but the SAML endpoint gets 404 on response when you log in.

One is on OpenID Connect, but I would need to update the project from Spring 3 to Spring 5 to get it working, which upon attempting to do seems to break everything else.

One has an external library handling the security context just the way we are accustomed to, but it only does a 401 forbidden when you go without logging in and I'm starting to think it is actually one of those that require you to extract the token or something manual like that, which wouldn't work for us

The other two are spring boot tutorials that worked out of the box, both SAML and OpenID, still can't use those for the main projects.

I'm tired of dealing with this configuration hell, been two months at this, I want to get features done as usual, not be stuck configuring stuff that might or might not work.

Rant aside, I think I figured I need to use a different Security adapter, but I needed to vent.

SSO = (P)ain in (T)he (A)SS!!

I really like to build upon all the existing awesome open source projects out there. Contributors are heros.

But handling a single user session for n to the fucking x sub sessions to all these backend applications is simply a pain in the ass.

Complaints about how FE rendering is so slow when BE apis take forever to return. Working on performance projects and feel like you've done nothing at all at the end of each day.

Am currently developing an app which uses an IaaS named Auth0. Great experience so far, reasonable docs, unlimited users, social login, sso and support for about $29/m.

After an inquiry from a customer to provide MFA, I contacted Auth0 to see what​ it would take to use this feature.

"We only offer this in our Enterprise plan which starts at $18k/yr."

Well, fuck me with a pitchfork and call me Bridget the midget. I'll code it my goddamn self.

"We need to implement SSO across our legacy apps in 2 weeks. Don't worry about the details just do it. Pretend you're playing football with computers." MFW

Okta emailed me trying to sell their SSO gubbins.

I actually quite like the idea of being able to abstract away all the providers people might want to log in with, and making it someone else's job to check whether those providers are trustworthy.

But the email is copied to every permutation of my name/surname/initials etc @mydomain.com.

They had no legitimate way to obtain my email address for marketing purposes, so they just guessed it.

And I'm supposed to believe no corners will be cut and no bodges applied in making sure the user is who he claims to be?

I am the responsible for the atlassian Suite at work, as I maintain the systems, set them up, and stuff.

One day, our crowd (the authentication and authorization application) just went crazy. At like lunch time it could not connect to the AD anymore. No reasons. Throwing XSRF errors (cross site scripting), because http would connect to https. "won't do it, fuck you" it told me. Out of the blue. Noone changed anything. And yea, seriously. Noone did.
It just refused to connect (as connecting to AD is connecting yourself with you own api. And refusing yourself talking to yourself). It runs behind a proxy. Therefore http/https. Well, this worked for years. But out of sudden not anymore.

Yea. Fuck you.

It was reported some hours later, at like 3pm, as people could not login to the applications using crowd as authentication and authorization server.

Tried to debug the system, where nothing was did, to make it work. At best time to fail.

First workaround: if you are logged into one of the other applications of atlassian, just refresh the site, so your SSO token gets a refresh and you are signed on again.

Then I searched more and more. And more.
But nothing worked, nothing helped.

So I addressed an emergency maintenance, take down the whole Suite, restart crowd, to apply some changes to it's settings, not knowing what happening then, because all connections of SSO will then be released. Sent out the mail like 30 minutes beforehands.

While waiting for the window, I just typed my credentials... And redid, and redid, so to type and being bored.
Three minutes before the window...

It just worked again.

Well. Wtf. Serioudl
Just came back.

No Intrusion, no changes at all. Just came back, as nothing has happened.

Kind of best part of this story... A headhunter messaged me on my way home to offer me a job as an Atlassian Suite SysAdmin for a company, at kinda the double of my salary.

At first I was thinking to go there, and when someone then asked me sth about Atlassian just start to laugh and then leave still laughing...

But then I very nicely respond that I dont want to cry at work. And wished him best luck.

I am doing some bad upgrades now on our Suite. Very painful.
And I looked into the start scripts. Some Look like the untalented intern tells another one to write scripts. Seriously wtf.

Today I followed the guide to Update a confluence and change database to Postgres. Didnt work, Postgres error.
Try it again, jquery won't load. Next try, tomcat not starting anymore. Did same thing. Every fucking time.

Yea. Maintenance window to get a nice new export soon. Will only take an hour.

To switch database in confluence, you need to set it up very fresh. And then Import your export.
Export takes an hour at our system.
Importing maybe the same time. Hope it will work (hint: Nope).

Oh, can be nice also. Just tell the Bitbucket to migrate databases, there is a fucking setting for it. Enter new database, ready, go, finished.

At least they don't raise costs very much every kinda year.
Oh sorry, yes, they do.

My teacher in school: Starts PC, after booting the SSO login prompt appears - teacher looks confused and doesn't know what to do because: "My computer always displays Google, where's my Google at?"

I was tasked to implement SSO. I was quite terrified, because I am working on legacy project where everything is implemented poorly. After series of question I finally found out that client's image of sso is just connecting to another db to validate against user table. I felt relieved :D

i have a question for you. You work for an industry, a factory, in house. You have only one developer to help you.

They ask you for an app to store production and get reports. Ok
Then before a year passed, they want you to start making apps for: project managment, hr 360 evaluation, implementation of SSO without paying a third party service (like auth0 or okta)

Would you feel comfortable, even if the proper time was given, to get involved with so many different domains without anyone above you having any idea about software lifecycle and development?

So you guys know how universities can sometimes have TERRIBLE old software that hasn't been updated for years, and sometimes you want to do a specific process over and over again so you end up automating it, now, we've built a tool that automates downloading projects from the University Moodle website, and we would like to publish it for other students to use.

Problem.

The University is using SSO.

And so far we've made the application to work by observing the network connections over the Android app version in order to extract the cookie session, now imagine that we publish this little tool, and tell people to do those exact steps, of course it's impractical and misses the whole point of the tool itself for being easy to use.

So, where can I read more about SSO, how can I figure out what the University uses? And if I had to reverse engineer this, where should I start? (It goes over 4 pages and I'm not able to capture those requests to even figure out what's going on)

In short is there a guide where you take a university SSO service and build on top of it? I couldn't find anything that is helpful.

Two years ago we took over this project which has been a nightmare to maintain. It's a set of netcore 2.1 webapps running on an on-prem windows machine. Everyone who has worked on it so far has quit, leading to two episodes of it being passed on with near zero handover.

Its function is fairly simple, so naturally we have been nagging to redo it and cloudlift it.

I was finally given one week to see how far I'd get, and had a poc running in Azure after one day; 4 apps in clean net6, SSO, and managed identities. The only thing lacking was setting up the authentication for third parties.

And... they still don't want "something new" when the old one works. Back to IIS and debugging windows event logs.

While planning my (personal) server I just seem to pile up more and more things to do/consider. Basically, for now I just want to have rclone, nextcloud and jellyfin, plus some usenet stuff later on. But I want to have the whole installation and configuration automated as far as possible, since I'll at first it will run in a test environment and needs to be migrated to another server at a point, possibly even another OS. So I suppose that means docker, docker-compose and Chef (any better options?). I want SSL: Traefik. User management / auth? RADIUS, LDAP. SSO? keycloak. I also need to deal with virtual hosts. And probably much more..

Since I just have basic Linux knowledge and have no real experience with any of the other technologies, I feel a bit lost. I just got to the abovementioned software due to some ddg research. I don't mind digging deep, I want to learn (which is half the reason for this project), but it's not easy to the the best way to set this up.

i have read many horror stories about admob how people lost thousands of dollars cz google fked them

allen wong lost 100k$ cz google fked his account and banned it and took his hunnid k

sso i have no clue whats going on and why do so many people get banned and lose money with admob or if this is even true

should i use admob and if not what tf do i use then to earn money for android app

I always have multiple accounts thanks to Single-Sign-On, so I don't find my event tickets, logins, and contacts. To make it worse, those sites regularly log me out for no reason and some force logging in using my Google account although I have a main account with my business email address.

I suspect that's another deceptive pattern that they let happen on purpose so they can claim to have more users than they really have.

[CONCEITED RANT]
I'm frustrated than I'm better tha 99% programmers I ever worked with.

Yes, it might sound so conceited.
I Work mainly with C#/.NET Ecosystem as fullstack dev (so also sql, backend, frontend etc), but I'm also forced to use that abhorrent horror that is js and angular.
I write readable code, I write easy code that works and rarely, RARELY causes any problem, The only fancy stuff I do is using new language features that come up with new C# versions, that in latest version were mostly syntactic sugar to make code shorter/more readable/easier.

People I have ever worked with (lot of) mostly try to overdo, overengineer, overcomplicate code, subdivide into methods when not needed fragmenting code and putting tons of variables.

People only needed me to explain my code when the codebase was huge (200K+ lines mostly written by me) of big so they don't have to spend hours to understand what's going on, or, if the customer requested a new technology to explain such new technology so they don't have to study it (which is perfectly understandable). (for example it happened that I was forced to use Devexpress package because they wanted to port a huge application from .NET 4.5 to .NET 8 and rewriting the whole devexpress logic had a HUGE impact on costs so I explained thoroughly and supported during developement because they didn't knew devexpress).

I don't write genius code or clevel tricks and patterns. My code works, doesn't create memory leaks or slowness and mostly works when doing unit tests at first run. Of course I also put bugs and everything, but that's part of the process.

THe point is that other people makes unreadable code, and when they pass code around you hear rising chaos, people cursing "WTF this even means, why he put that here, what the heck this is even supposed to do", you got the drill. And this happens when I read everyone code too.

But it doesn't happens the opposite. My code is often readable because I do code triple backflips only on personal projects because I don't have to explain anyone and I can learn new things and new coding styles.

Instead, people want to impress at work, and this results in unintelligible, chaotic code, full of bugs and that people can't read. They want to mix in the coolest technologies because they feel their virtual penis growing to showoff that they are latest bleeding edge technology experts and all.

They want to experiment on business code at the expense of all the other poor devils who will have to manage it.

Heck, I even worked with a few Microsoft MVPs.
Those are deadly. They're superfast code throughput people that combine lot of stuff.
THen they leave at you the problems once they leave.

This MVP guy on a big project for paperworks digital acquisiton for a big company did this huge project I got called to work in, which consited in a backend and a frontend web portal, and pushed at all costs to put in the middle another CDN web project and another Identity Server project to both do Caching with the cdn "to make it faster" and identity server for SSO (Single sign on).

We had to deal with gruesome work to deal with browser poor caching management and when he left, the SSO server started to loop after authentication at random intervals and I had to solve that stuff he put in with days of debugging that nasty stuff he did.

People definitely can't code, except me.
They have this "first of the class syndrome" which goes to the extent that their skill allows them to and try to do code backflips when they can't even do code pushups, to put them in a physical exercise parallelism.

And most people is like this. They will deny and won't admit, they believe they're good at it, but in reality they aren't.

There is some genius out there that does revoluitionary code and maybe needs to do horrible code to do amazing stuff, and that's ok. And there is also few people like me, with which you can work and produce great stuff.

I found one colleague like this and we had a $800.000 (yes, 800k) project in .NET Technology, which consisted in the renewal of 56 webservices and 3 web portals and 2 Winforms applications for our country main railway transport system. We worked in 2 on it, with a PM from the railway company.

It was estimated 14 months of work and we took 11 and all was working wonders. We had ton of fun doing it because also their PM was a cool guy and we did an awesome project and codebase was a jewel. The difficult thing you couldn't grasp if you read the code is if you don't know how railway systems work and that's the only difficult thing.

Sight, there people is macking me sick of this job

#WitchHunt: one of us is making websites that allow you to signup/login with Facebook, but still requires the user to enter a password to sign up! That's not SSO people!

Finally got the data from my API and displaying in my app using RxJS, so I work on getting user data read in after passing through an SSO page. Now that works but the original stuff doesn't.

Stuck trying to make Firebase Facebook Auth work with Google Chrome Extension. Just isn't working 😔

Are there any good SAML 2.0 libraries out there for Node.js or Python?

Background: I'm working with SAML 2.0 SSO through ADFS at my current job. Our application server is a Java/Tomcat/Spring beast that I'm becoming more familiar with, and disliking more each time I toy with it. I'd like to move to something I and my team are more familiar with, and can better maintain/update/enhance.

So far I've tried (for Node.js) passport-saml and samlify, but neither have great documentation. I've also used python3-saml and it worked well. We're mainly a JavaScript shop, at least in my department, so Node.js would be preferable.

when setting up SSO with LDAP on a customer's system they tell me to use a different domain than the one that everything resides on. tell them it won't work because when I did a nslookup and this other domain none of the domain controllers are listed. today SSO starts working out of nowhere and they claim they didn't change anything. did a nslookup and see the domain controllers. looks like someone fixed their mistake but didn't want to admit they made one lol.

The requirement to lock down my workstation when I leave it + no SSO has done wonders for my bladder control.

"add SSO to staging to be able to test roles - Critical/February 2014" still in the backlog

When was the last time you implemented SSO for Azure AD? What technology did you use? SAML or OpenID Connect?

Urgent bug, some values are not getting displayed!! Frontend developer is always asked to debug, but don't we always know for sure it's Backend service not sending the value without having to debug

Anybody know Google admin SSO with Auth0

Redoing our web apps to use SSO... Every single page within the app runs LDAP authentication. What is the point of signing in and having session cookies if you are reauthorization a logon on every page?!??? Now what seemed like a simple task of revamping the initial logon has turned into a hunting trip for LDAP queries and creating new sql tables

Why can't every damn app,site, service have SSO feature?!