| Time |
Nick |
Message |
| 08:18 |
|
sandbergja joined #evergreen |
| 08:19 |
csharp_ |
thatsa lotta commitsa |
| 08:34 |
|
mmorgan joined #evergreen |
| 09:21 |
JBoyer |
To throw a note over the wall in case anyone is still interested, Wasp readers are pretty excellent and last I knew several IN libraries were using them happily with Evergreen. |
| 10:28 |
gmcharlt |
rel_3_16 is now branched |
| 10:34 |
mmorgan |
gmcharlt++ |
| 10:35 |
gmcharlt |
JBoyer: I dunno, their tagline of "Ultra-aggressive barcode scanners" scares me a little ;) |
| 10:36 |
JBoyer |
I was technically stung by a personal purchase. ;) (I thought "Ooh! It speaks bluetooth and I can use it with my laptop!" |
| 10:37 |
JBoyer |
It entered digits so slowly (and had no way to change speed / fix it) that the return process was started within a couple hours. :( |
| 10:37 |
csharp_ |
gmcharlt++ |
| 10:40 |
* mmorgan |
's fingers are working like JBoyer's returned barcode scanner this morning :-/ |
| 10:45 |
|
sandbergja joined #evergreen |
| 11:09 |
pinesol |
News from commits: Update relator codes for 3.16-beta <http://git.evergreen-ils.org/?p=Evergreen.git;a=commitdiff;h=aa55f9801d09212a6987dec9659f48899e579bfa> |
| 11:39 |
pinesol |
News from commits: clear RELEASE_NOTES_NEXT as part of 3.16-beta preparation <http://git.evergreen-ils.org/?p=Evergreen.git;a=commitdiff;h=cb5c0971a634a7a1d8585a427fdcabfb8609ae6b> |
| 12:06 |
|
Christineb joined #evergreen |
| 13:18 |
jeffdavis |
I see staff client SSO was committed (bug 2043040). How does it figure out what SSO settings to use if you don't have a registered workstation? |
| 13:18 |
pinesol |
Launchpad bug 2043040 in Evergreen "wishlist: Single Sign on for Evergreen Staff Client" [Wishlist,Fix committed] https://launchpad.net/bugs/2043040 |
| 14:20 |
gmcharlt |
eeevil can correct if I'm wrong, but I believe that the intended workflow is that the workstation would be registered first using a staff account logging in natively |
| 14:21 |
gmcharlt |
(though in the case of an Evergreen system where one IdP would serve all OUs, the SSO settings can be enabled at the root of the OU tree) |
| 14:33 |
|
Lorne joined #evergreen |
| 15:41 |
eeevil |
gmcharlt and jeffdavis: I will doublecheck, but I /believe/ the staff home_ou will be used to decide which settings to use, and then you'll be forced to the WS reg page. I haven't looked at the details of Bmagic's changes, though. |
| 15:42 |
eeevil |
(but, that's a good reason to leave the "allow native login" enabled for now! ;) ) |
| 15:46 |
eeevil |
well, I've confirmed that ws_ou is set to the home_ou in oils_auth_internal.c if there is no workstation with the login request |
| 15:46 |
eeevil |
but now I have to run ... biaf |
| 15:48 |
Bmagic |
gmcharlt jeffdavis eeevil: the routine, as-is, does require the staff to authenticate with Evergreen using native login/password in order to register the workstation. Once the workstation is registered, Evergreen will "know" that SSO is configured and offer that as the only login method |
| 15:49 |
Bmagic |
Even if Staff SSO was configured at the CONS level, the workstation registration is still a step that requires native authentication. It'd be an improvement if that weren't the case IMO |
| 15:49 |
Bmagic |
we're running that patch on production FYI. There was a wrinkle for libraries that have both patron and staff SSO configured, at the shibboleth level, resolved via my commit at the tip |
| 15:52 |
Bmagic |
It was merged! That's awesome! It could use copious documentation though (for some reason I figured the documentation portion would be added to the branch prior to merge), but I'm happy to have it merged |
| 16:09 |
eeevil |
ah ... it's coming back to me now. the workflow for a brand new workstation is: 1) because there's no WS in the browser, it only offers you native login 2) log in that way, so SOMEONE has to know a native login password at the physical location (good idea generally, I'd say, for a site admin) 3) register the WS 4) log in however you want |
| 16:10 |
eeevil |
IMO, having (at least) one known native staff credential set is not an unreasonable burden |
| 16:21 |
eeevil |
anyway, jeffdavis and gmcharlt, to answer explicitly after looking at the code (and having my memory jogged by Bmagic), yes you have to log in once with a "real" EG credential set first, in order to register a workstation to the browser you're using. once that's done, the WS chosen in the login form (if several) is used to look up the login setup details, which may go as far as "when a WS from here is chosen, just present an SSO login button and |
| 16:21 |
eeevil |
nothing else". but, it depends on which of your WS you select (and you can change the selection) if they're registered for different orgs. |
| 16:23 |
jeffdavis |
thanks, appreciate the explanations |
| 16:24 |
jeffdavis |
seems to me like anyone with REGISTER_WORKSTATION would potentially need native credentials; I can see that getting confusing/complicated |
| 16:25 |
eeevil |
if you expect them to be able to use that power on a blank/new WS, yes! |
| 16:27 |
eeevil |
the "smallest" version of that is a designated on-site admin who knows their "real EG" password, and can register new/wiped computers as workstations. once you have one registered, you can add more at will (permissions allowing) even with SSO-only auth |
| 17:08 |
|
mmorgan left #evergreen |
| 17:43 |
|
stephengwills left #evergreen |
| 23:00 |
|
tsadok joined #evergreen |
| 23:02 |
|
Rogan joined #evergreen |
