Identity Providers to the rescue

WhoAmIThe problem: I have to allow outside,  non-company users SSO (single sign-on) to a Salesforce Portal and I don’t know how to do this.

These users are external to the company and are not in any repository in the company, they are just in Salesforce as portal users. How can I make this work?

First, about the requirements. These users are people we do business with and the portal is a website Salesforce let’s us create that we expose data and reports to in the way we wish. We provide these users, these partners, with tools and data they need but keep them from accessing our Salesforce Org since they are not part of the company.

Our company uses Microsoft’s Active Directory to manage users and credentials. We SSO to our Orgs using AD and the ADFS (Active Directory Federation Services) product making this duo an IdP (identity provider). Works well and was easy to setup in Salesforce.

Second, the portal users are known in our Salesforce Org and not to our company. The company has a firm set of rules emmanating from our security folks that only company employee’s and contractors are permitted in our AD. Fine.

Third, SSO requires that a user, the principle, is known to something providing identity, his operating system or an app coupled with IdP, and sign onto SSO compliant SPs (service providers) which in this case is the Salesforce portal. But our partners log into their own computers in their own businesses. Possibly with their own ADs but more likely not. They just have small, local networks they sign into and there is no IdP on their end. And that’s the problem in a nutshell, they log into their own networks which are unknown to us. We simply do not have an identify for them that we know about.

What do we do to accomplish our goal?

The answer is we need to rethink our IdP and find another architecture that works. This article provides the solution.

What’s really interesting is there are many products out there that can be used and until I was confronted with this requirement I had no idea just how many there are.

Here’s a picture of what we have right now.

Two identity needs, one solved by identity provider, the other not

Two identity needs, one solved by identity provider, the other not


We have two authentication paths, Salesforce authenticated by ADFS for internal users and Salesforce Portal authenticated using the Salesforce username and password.

SSO for both paths is simple and requires two more products and some work. It never used to be this simple but it is now. We add an IdP and a private database to handle the external user case. This solves the problem at hand and possibly solves other related problem explained shortly. First, how does this solve our problem?


All SSO clients talk to one, new identity provider

identity provider consolidation



What do we use for the IdP? This really surprised me. There are quite a few IdP products, both commercial and open source. Wikipedia has a lovely article with an enormous list of just SAML IdP products.

Two examples of open source products are SimpleSAMLphp and Shibboleth. Don’t you love the names?

SimpleSAMLphp is a set of PHP scripts implementing both an IdP and a SP. If it works, WOW.

Shibboleth comes in two flavors, an IdP and a SP. WOW again.

Commercially you have a product like Entrust’s IdentityGuard.

The differences between commercial and open source products can be significant. Commercial products tend to enlarge the boundaries of the problems they solve. IdentityGuard can handle a large variety of credential repositories making it easy to take on all roles for Identity Providers. Open source products tend to be more surgical taking on core needs only. With that said, the array of products is astounding.

So in this case we put the Idp in front of ADFS for internal user identity and the IdP in front of a database for external user identity.

Opening the door for more solutions

Consolidating the interface to all IdP activity to the one IdP product, commercial or open source, permits you to build all your future solutions on this architecture. Seems like a no brainer doesn’t it? Well, you might miss this so lets discuss it a bit more.

First, you can shape programmatic interface to this IdP using your favorite stack. So if your a Java house, a .Net house or something else you’ll develop code and libraries talking to this one IdP rather two or more. This simplfies things today and down the road.

Second, you skew the next SSO requirement to this architecture rather than creating another point solution. Suppose you wanted to interface Salesforce or someother application to an internal web app and SSO from the external app, Salesforce, to the internal app, what would you do? Before this you’d be searchaing for the IdP solution just for it. Now, you think in terms of this architecture and plan the solution where you sso using this IdP.

If this IdP product supports at least one, well known and used protocol like SAML 2.0 you should be in good shape for some time just relying on this. You not only use the IdP product as a solution component you also develop code and processes to take full advantage of this consolidated architecture.

You will develop code to provision new service providers, manage both internal user credentials and external user credentials, and manage how processes use this product. Lots of opportunity to simplify your code base because you’ve moved the SSO and Identity solution from tactical point solutions (ADFS SSO for internal users and username/password external users) to one strategic enterprise solution (SSO for all).

What next?

I may implement a reference architecture just to show to all that this is right and doable. That remains to be seen. For now, I just introduce the concept to you and hope it helps shape your thinking.

Share your thoughts in comments. Cheers!




Salesforce Scripting

Don’t have a name for it yet and every project deserves a name.
The company, Salesforce, has not provided a means to script management or administrative functions.

Perhaps they think it’s not needed, perhaps they are remaining agnostic waiting for others to do it, or perhaps they think it worthwhile but have not decided what to do.

I don’t know. I don’t care.

I’m working on a scripting package or toolkit written in Python based on the simple_salesforce Github project. simple_salesforce is a low level kit that needs abstractions. I’m just the guy to do this.

Stay tuned…

Fox’s point system works for idea extraction too

Jeff Fox book cover for how to become a rainmaker

Jeffrey Fox wrote a number of excellent books on business. The first one and perhaps one of the best is How to become a rainmaker. The book is strategy after strategy to make yourself into a top notch salesman. To keep yourself doing what’s important he offered a system. Fulfill the system and you’ll always “never run out of prospects, your pipeline will always be full, you will never have a slow period, and you will always be making rain”. Pure gold. Here are the points:

  1. Get a lead, a referral or an introduction to a decision maker
  2. Get an appointment to meet with a decision maker.
  3. Meet the decision maker face to face.
  4. Getting a commitment to close or an action leading to a close.

Work to get 4 points/day. Any way. Example: Get 2 leads or referrals and get 1 appointment (1 + 1 + 2 = 4).

If you’re selling, it’s a great book. Get it. Read it. Study it. Implement it.

If you’re doing IE (idea extraction) this point system is not aligned with what you’re doing. However, we can adjust it this way. First, if you can do IE full time and second, if you only have an hour or two a day.

IE version if you have the whole day

  1. Get a lead, a referral to a decision maker in your niche
  2. Speak to the prospect
  3. Do IE with the prospect
  4. Find a deep pain

IE version if you have an hour a day

  1. Get 20 leads to call
  2. Make calls until you speak with a decision maker
  3. Do IE with a prospect
  4. Find a deep pain

In both cases, seek to get 4 points a day at a minimum. Any combination will do. But you cannot just do step 1 four time every day. It’s simple, you have to speak with prospects and take action.

Try this point system and see if your IE doesn’t improve.

Shutting down Apache on Mac Mountain Lion is not easy

Mountain Lion (OS 10.8) is at this time the newest version of the Mac OS and the changes to the Apache web server that ships with it lead many bloggers to misinform readers about controlling the server. Let’s set the record straight.

You want to shut Apache down so that it releases it’s locks on files and so that you can launch Apache in single process mode for easier debugging. While Apache is running you may not be able to edit your web site/app files if the server has locked them. Shutting the server down frees the locks letting you edit or replace files. Then, for easier debugging, you may want to start up Apache consuming one process. To start it up this way you first have to shut it down. These are both good reasons and this article shows you how to shut it down.

Blog after blog say to shut it down use apachectl

sudo apachectl stop

Well, this doesn’t work on Mountain Lion.

As it turns out there is a launch daemon for apache that restarts the stopped apache. To stop apache you have to unload the launch daemon.

sudo /System/Library/LaunchDaemons/launchctl unload org.apache.httpd.plist

To verify that you’ve stopped apache, use ps and grep

ps -ax | grep -i httpd

You should see the console session returned and no other lines with httpd in it. If you issue this several times in a row and the only thing returned is one line for the console sessions, you have successfully stopped the daemon.

Then to start a single process Apache

sudo /usr/sbin/httpd -k start -X -f /etc/apache2/httpd.conf

Once again use the ps and grep command line and you’ll see

/System/Library/LaunchDaemons: ps -ax | grep -i httpd
 6098 ttys002 0:00.00 grep -i httpd
 6094 ttys003 0:00.02 sudo /usr/sbin/httpd -k start -X -f /etc/apache2/httpd.conf
 6095 ttys003 0:00.17 /usr/sbin/httpd -k start -X -f /etc/apache2/httpd.conf

To find out how to do this took considerable time – many blogs say it’s just apachectl and it’s not. Hope this helps.


Ubuntu 11.04 boot hung on the splash screen, here’s the fix

Last night all was well with my Ubuntu laptop and I shut it down as normal. This morning it hung on boot at the splash screen with 5 dots lit up. Reading posts here and there suggested I should just let the machine cook for 15 minutes or so (something like Windows and it’s pre-boot installations of updates). So I left it alone for an hour and no improvement. The disk activity indicator almost from the point of the splash screen slowed to once or so a minute for the entire hour. Nothing was happening and waiting any longer would be pointless.

I read up on the grub recovery mode and jumped into the grub menu (hold the Shift key down while booting) and selected Recover Mode and in the console hit Control-D to get to the login prompt.

There, I tried a few things always suspecting it was the monitor/xserver/display. Something about the display kept gnawing at me but I cannot say what it was.

I hit upon a writeup that showed this:

Booted into recovery mode and logged in on command line.

Checked everything was up to date, reinstalled gdm and xorg:
$ sudo apt-get update && sudo apt-get upgrade
$ sudo apt-get install --reinstall gdm xorg

Removed xorg.conf so that a new one was created upon boot:
$ sudo mv /etc/X11/xorg.conf /etc/X11/xorg.conf.faulty
$ sudo reboot

This did work and after rebooting the only issue was I didn’t have the right display (NVidia) driver. It just so happened that a system update brought in the latest kernel changes and coincidentally gave me the right driver. I had to seek no further.

This took over 4 hours of my time to fix.

Remember what you did a few days ago on your Linux computer

I am busy like most people throughout the day and switch tasks often. Taking good notes during my work is tedious and there are times when I forget or cannot and I lose knowledge this way. I lose the  steps leading to solutions, I forget to record some item for billing purposes or I need to verify the length of time I spent doing something. What I want is someway to automatically take a snapshot of my monitor screen(s) producing a time stamped image. There are solutions in Windows and for Mac but none that I found for  Linux.

Shots folder

First, there’s a top-level folder I call shots as in snapshot that

Folder holding daily folders of images

holds all the folders for each days worth of images. The location and name of this folder can be changed in the script. I keep it in my home folder for convenience.

Daily folders
Each day the script checks for a folder to hold the images and if it doesn’t exist it creates it. The name of the daily folder is the date. Over time these folders will collect and build up taking valuable disk space. You should delete the oldest of these folders as a matter of good disk hygiene. Then again the script could be modified to search for folders that are older than a configurable number of days and remove the image contents and the folders.

Folders created every day containing images

Desktop images are snapped in the current script every 300 seconds or 5 minutes and dropped into the daily folder in the shots folder. Scrot is configurable through the command line giving you the ability to reduce resolution of images, for instance, thereby reducing the size and clarity of the images if that’s a concern.

Inside a daily folder

Scrot has other configurable parameters so you should read the man page at least.

Here’s how you solve this in Linux. The recipe is simple:

  • 1 – screen capture utility
  • 1 – shell script

Fulfilling the first item, what we need is as simple screen capture utility to take a snapshot every so often and place the image in a known location. So there’s a single folder containing date stamped folders and each date stamped folder contains date and time stamped images. How do we do this? There are several utilities and applications in the Linux world that can take screen captures. The simple one that free that does the job more than adequately is SCROT. For Ubuntu,

sudo apt-get install scrot

Using scrot, it takes a screen capture, labels it with the date and time and move it into a known directory. It’s accomplished this way:

scrot ‘%Y-%m-%d_%H:%M:%S_$wx$h.png’ -e ‘mv $f ‘”$DIRECTORY”

Where $DIRECTORY is the path to a directory of your choosing.

Executing this command line yields a file named:


if executed on 7/24/2012 at 6:54. The photo is a 1600×900 pixel PNG file.

This works well. Then next and final thing to do in our recipe is create a shell script that periodically executes this command and each day change the date stamp. Here the bash shell script:

# TODAY - today's date.
# DIRECTORY - directory to store the image in; ours is 'shots'.
TODAY=$(date +"%Y-%m-%d")
# Repeat forever.
while true;
# If the directory does not exist, create it.
if [ ! -d "$DIRECTORY" ]; then
# take a shot and name it with a timestamp and move the shot
# to the 'shots' folder.
scrot '%Y-%m-%d_%H:%M:%S_$wx$h.png' -e 'mv $f '"$DIRECTORY"
# do again
sleep 5m

This script is setup to automatically run when you log in or is run manually, your choice.


Keep your camera updated

I get a new feature with my digital camera by updating it’s firmware, who knew you could update the camera?

It never dawned on me that me DLSR camera from Samsung would or even could be updated like my fancy mobile phone or my laptop computer. It never dawned on me but as I found out it can be updated and it was a pleasant surprise to boot.

I’ve had a Samsung NX10 for almost year and a half and have enjoyed it immensely. I have no real complaints except for the absense of a way shoot panoramic scenes. It’s not a big deal, I have a way to create panoramas from discrete photos by way of a Windows program called Hugin which works great. Still, there are times when I’d just like to take thise shoots and be done with it.

I went on the Samsung site and drilled down from the NX10 page to the downloads page to the firmware page. Found the latest firmware and the installation guide. The guide was simple as I expected it to be, obtained the firmware and had the camera use the firmware. After a minute the camera was updated and turning the camera mode to SCENE and I saw panarama mode with instructions on the screen. The instructions said basically shoot and move the camera, I clicked the shutter button and moved the camera slowly left to right surveying the room. The camera took perhaps 8 shots end when I clicked the bitton again. Hitting the review button I saw the stitched together long photo and felt the moment of satisfaction now knowing that I now had another tool in my little toolshed. Thr picture was really quite impressive and so is upgrading the firmware of the camera.

Have a digital camera, see if it can updated, you’ll appreciate it.

Rooting my Asus Transformer (TF101) and one of those scarry moments

Rooting a new tablet can be scarry (what if I brick it?), so finding a set of instructions that worked the first time is key and that’s what I present for the Asus Transformer TF101.

I’ve put off getting a tablet until now and for someone who works on being up to date with technology this was difficult to say the least. The Asus Transformer was the choice tablet to get given performance and price. I’ll leave others to argue the pros and cons on this, for me this was a good choice.

One thing though, root access is required for some of the functions that my tablet would undertake. An example is this – running a video player on the tablet pulling a ripped DVD from a remote server on my lan. The remote server has a disk carrying my ripped DVDs (I rip my own DVDs so that I can do just this, watch them from my pc or tablet remotely). The server needs to be a device that Linux (Android if you will) can access and to mount devices that are not in the existing /DEV and /MNT directories requires root access.

Googling around a bit I found the XDA-Developers forums which had a number of articles/videos explaining how to root the tablet.

These are the resources I used:

Video instructions
A list of resources from XDA-DEVELOPER
The Revolution HD Rom you could use to replace the stock Rom.

I followed the video instructions and reviewed the other resources I’ve just pointed you too and found that it worked wonderfully well.

I didn’t try the Rom and include it here for reference and as a possible future assignment for myself.

Bottom line – this really did work and worked well. I now have root access and it’s allowed me to do, just as I pointed out, setup a mounting point to the remote drive and now play dvds over my wireless right to my tablet.

Stopping Skype’s HOME window from opening

So you log into Skype every time your PC starts and that darn HOME window appears too. All you want is your contacts list but there’s that window. I was wondering how to stop it and the options Skype makes available doesn’t seem to have a way to turn it off. Well the guy in this this blog entry described just how to do and it works well. I am repeating it here only for simplicy sake:

1. Close Skype
2. Go to c:\users\YOUR USER NAME\AppData\roaming\skype\shared_dynco
3. Open file dc.db in notepad,delete its content, save and close
4. In dc.db file properties set it up to read-only and confirm
5. Return a folder back and go to shared_httpfe
6. Repeat steps 3 and 4 in file queue.db

Don’t forget, make these empty files read-only.

Web surprise – the long tail for paper notebook lovers

I am always so surprised when I find that other people enjoy or love the same things I do and notebooks are my surprise for the day.

I currently write in a Gibson Markings notebook that I bought from Staples on sale and I bought a few more at the price for the future. Noodling around the web today looking for sellers of these fine little notebooks I stumbled on a few websites devoted to finding the perfect little notebook. Sites as in more than one site? Yes, that’s right there are a whole slew of sites devoted to this one topic. The long tail strikes again.

Here are a few of the sites and each have a review generally with pictures about a myriad of small note books.

My wonder never ceases, the net really allows people to bring their interests into public view. I am amazed.