IdP as quasi-portal?

Simon Lundström simlu at su.se
Tue Oct 19 09:33:46 UTC 2021 

Hey David!

Like Greg we had a Javascript-based RSS reader which read from our 
status information site.

I can't remember why but we removed the Javascript RSS reader and 
replaced it with a cronjob on our IDPs which writes a Velocity template 
that is inluded in login.vm. Works very well for us.

I don't think we've ever had a request or idea to add something other 
than status information on it. Though our status page includes ongoing 
"hacking" campaigns against us.

BR,
- Simon

On Tue, 2021-10-19 at 03:32:48 +0200, Greg Haverkamp wrote:
> On Mon, Oct 18, 2021 at 3:17 PM IAM David Bantz <dabantz at alaska.edu<mailto:dabantz at alaska.edu>> wrote:
> Is your institutional IdP being used to broadcast messages to users in the credential login page?
> If so, how is that working out? Who is allowed to post messages there?
> How have you adapted login to display such messages?
> 
> We put a system in place to do this, but it was never used.  I was pretty vehemently opposed to it; my argument against it was that users are already too easy distracted by fake login pages.  We didn't need to make ours harder for users to verify by plastering (effectively) ads all over the place.  In the end, I lost, and we implemented with some Javascript that pulled down one of two types of messages: 1) IT news and notices, or 2) security emergency notices.
> 
> In the end, by the time it was implemented, everyone had forgotten about it, and nothing ever got published.  Of course, that javascript makes a request to its backend server location on every page request, generating an error if someone is watching the console.  Sometime last year, while doing some maintenance on our systems, I just silently shut down that backend server that was serving up the messages and provided the extremely basic editing interface.  The only people who were allowed to post there were our deputy CIO, our CISO, and our senior administrative assistant.
> 
> Anyhow, we just had a div just under the box that holds our login form.  If the xhr calls managed to snag any content, they filled in the messages.
> 
> (It was my own fault.  On our original login page, of my design -- which is to say, lousy -- I had a bunch of warnings about phishing and the like.  The CIO saw that and thought, "Hmm.  If we can put up those general notices, we can also advertise our services."  Then implementation held off while our creative services office was redesigning the login page.  That's probably what kept it from ever being used, since that took months.)
> 
> Greg
> 
> 
> 
> David St. Pierre Bantz
> U Alaska
> --
> For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

> -- 
> For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list