Social Connections V in Zurich - I'm speaking
I will be giving a condensed version of my An Introduction To Working With the Activity Stream presentation at the upcoiming Social Connections V event in Zurich on 28 June. I'll be in the development track (surprise, surprise) at 11:20. As I only have 30 minutes the session will be highly condensed but the full presentation with all the examples will still be available to get you up to speed.
Hope to see you there.
Blog interview on IBMSocialSoftware.com
Last week I was interviewed for the IBM Social Software Blog and the interview is now live here. The interview is on my work with the activity stream and how to get started working with the activity stream.
IBM SmartCloud - credit where credit is due
On Friday I blogged about the changes that occured on IBM SmartCloud over the weekend (SmartCloud getting an overhaul this weekend with changes that is looooong overdue) and how I was waiting for IBM to add proper Sametime support in SmartCloud meaning Sametime Proxy, Sametime webchat and Sametime app support. As it turns out these capabilities are available just not visible in the dashboard or otherwise readily obvious. So I will give IBM credit for adding it but why didn't I know?! Anyways - props to IBM.
So the Sametime webchat is available at webchat.na.collabserv.com/stwebclient/iphone_index.jsp and of course it also means that the Sametime Proxy is available. Whether we may use it for actual, 3rd party applications, I will need to find out. There are *still* some really annoying restrictions when it comes to the Sametime entitlement for Notes users (see this tweet). Still waiting for Scott Souder to come back on that one.
Another cool thing (which is an off-spring of the Sametime Proxy support) is that the iOS app works and Sametime availability works on my iPhone and iPad. And even better is that there is a pre-set community configuration for IBM SmartCloud so it's real easy to configure. Pretty sweet.
SmartCloud getting an overhaul this weekend with changes that is looooong overdue
This weekend (8-9 June 2013) IBM is releasing their June 2013 Update to the SmartCloud for Social Business. Besides layout changes and notes about the URL used to access the service IBM is finally adding support for the Microsoft Office connectors and the Windows Explorer connector so that, using "click to cloud", users may save, open and edit Office documents and other files directory from SmartCloud. This is of course a big win for users and a byproduct of IBM transitioning the SmartCloud offering to use more and more of the stock, on-premises, IBM Connections product. But this should still have been delivered before. Another byproduct is that of supporting the media gallery and mobile using the IBM Connections app from the Appstore.
For me as a SmartCloud Sametime user the most important thing is IBM allowing the use of the screen capture tool and file transfer in chat. FINALLY!!!!! These "advanced" capabilities are *long* overdue and will be a welcome addition to the service. Why this has taken so long is beyond me but great to finally see it added. Now we *just* IBM to also add IBM Sametime Proxy support so webchat and chat from the iOS app will be supported. Hoping this wont take as long as adding something simple as file transfer and screen capture has.
Oh and IBM is janking support for Microsoft IE 7.
For the full list of changes see the release notes (requires a SmartCloud for Social Business login). There are restrictions to the availability of these additions which are outlined in the release notes.
System user in IBM Connections activity stream needs to change
The other day I noticed an event in my activity stream for an activity that is about to be auto completed due to inactivity as shown in the screenshot below. There was no profile picture for this user so my first comment as "Hmmmmmm...." as all users posting to the activity stream in Connections must be in Profiles and hence would have a profile picture (in our environment).
actor: {
objectType: "person",
id: "urn:lsid:lconn.ibm.com:profiles.person:SYSTEM",
displayName: "SYSTEM"
}
Looking futher into the matter by looking at the stream feed revealed that the actor ID was set to urn:lsid:lconn.ibm.com:profiles.person:SYSTEM. Even more hmmmmm..... This user was definitely not in Profiles so I sent my "Crazy activity stream question of the day™" to a contact at IBM and all was revealed. I turns out that this is a shortcut / workaround that was implemented for this particular purpose which they know is a hack. Unfortunately there is no way to change the user posting these events or set the profile picture of the user. This is really too bad and something that I hope is rectified in a future version.
To learn more about the activity stream and how to work with it I humbly recommend my An Introduction to Working With the Activity Stream" presentation on Slidehare.
IBM Connect Japan2013 出展及びセッションのご案内
This week OnTime is back in Tokyo spending time with our very good partner Axcel Corp. Besides customer meetings we are going to the IBM Connect 2013 Japan tomorrow Thursday where OnTime have a session and my boss Jens is giving the introduction in Japanese. It's going to be great.
Presentation from ISBG: An Introduction to Working With the Activity Stream
Below are my slidedeck from my Activity Stream presentation at ISBG.
Authentication vs. Authorization
When ever I talk to customers and partners about single-sign-on (SSO) and the concepts of "authentication" I'm quite often baffled by the level of misunderstanding, misconception and lack of knowledge about just how "authentication" works. Now the reason I put "authentication" is quotes is that when we talk about authentication it's really not just authentication we're talking about. When we talk about confirming the identity of a user and confirming that the user is allowed to access a given resource we actually talk about two related concepts which are always performed - 1) authentication and 2) authorization.
Authentication is the process by which we authenticate the user i.e. find out that the user is authentic and is who he or she claims he or she is. This is most often done using a username and a password but there are numerous ways of doing this. The authentication step is most often followed immediately by authorizing the user to perform a certain task or access a certain resource. A user may be authenticated but not authorized i.e. we know who the user is with certainty but the user is not allowed to perform the operation or access the resource he or she set out to perform or access. A user may also be authorized without being authenticated in which case we allow an non-authenticated user (e.g. Anonymous in IBM Domino) to have certain rights in the system. The latter is the case where an Anonymous user is allowed to open a database, browse a web site etc.
The failure to distinguish between these two steps can lead to a lot of SSO issues and errors not being easily understood and/or debugged. Consider the case where a user signs into System A (i.e. authenticates and the user account authorized to perform the task at hand) and then moves on to System B to access another resource or perform a task which the user is "suddenly" unable to perform. Why? The user was able to work in System A so why not in System B?
This is the time where the person debugging this should stop and think...
Is the reason not because the user isn't authenticated but because he or she isn't authorized? Could it be that the user is authenticated both by System A and System B but that System B wasn't able to authorize the user? Maybe because the username was in another format or the particular username permutation not listed in the ACL or group authorizing the user to work in System B. Knowing about the steps performed can make it a lot easier (or just possible) to diagnose.
Using a good old Notes database with a wide open ACL and a simple page displaying the username of the current user (i.e. using @UserName in a piece of computed text) can make all the difference. It easily shows issues with the user being known by a LDAP username (e.g. cn=Mikkel Flindt Heisterberg,ou=Users,dc=intravision,dc=dk) and not by a Domino distinguished name (CN=Mikkel Flindt Heisterberg/O=IntraVision) or SSO not working due to misconfigured domain names, no shared secrets etc. by the user being known as "Anonymous" because the LtpaToken(2) was never sent to the server due to the cookie rules not being fulfilled. Same goes for Websphere Application Server - a simple WAR based application with a servlet displaying the current username is great for debugging.
Hope it clarifies matters and is helpful to someone.