Registration & Login Now Available #admin

Update, Thursday 1 August 2019:

Logins and new user registration are available only through the Keycloak SSO interface. Clicking a WordPress “login” link will redirect you to the Keycloak interface. New users should find the “register” link beneath the login form. For the time being, a valid email account is required as part of the initial registration and two-factor authentication (via Google Authenticator, Authy, etc.) is required for subsequent logins. As we experiment with adding services, expect those requirements to be reduced.


This website is present for information and for a bit of experimentation. Information comes first, of course, and while we were tweaking it a bit, we locked out the ability to register and to login, which in turn blocked the ability to comment and so forth.

Yesterday, I turned on the registration in two ways:

  1. Basic, WordPress-native user registration and subsequent logins are enabled.
  2. Login and registration via a Keycloak single sign on (SSO) package is also enabled.

If you register first with the “Sanctuary IdP” SSO server, the WordPress account will be created from your SSO data. If you register first with WordPress and follow up with the SSO, you’ll be prompted to link the two accounts. At this time, both logins require you to verify your email account. The second login to the SSO account will require you to set-up 2FA TOTP (Google Authenticator or Authy, for example).

In essence, it should give an experience similar to “Sign in with Google / Facebook / Twitter / …”: If you’re good with them (i.e., you’re logged in with them), you’re good with us.

Here is the “experimentation” part, though: Over time, I want that SSO registration to create an internal email account that users can use rather than verifying one of your own. That will be part of rolling out related test services. The WordPress website will consider enrollment in the SSO as sufficient to authenticate you — something less than a “WordPress verified email.”

It’s a start! In the meantime, feel free to create accounts and comment. 🙂

Handicapped #usecase

This one feels a little off-topic when thinking “sanctuary,” but it does go toward motivations and theme.

I have a son with Duchenne Muscular Dystrophy (DMD). Duchenne’s is a genetic, neuromuscular disorder characterized by “muscle wasting.” He was diagnosed at age seven, and by age ten he was wheelchair-bound.

My son doesn’t get out too much. Part of that is logistics and part of that is “creature comforts:” the boy is surrounded by all of his needs at home, including computers, tablets, game systems, and so forth. Given email, Facebook chat, Google Hangouts, Skype, and everything else, he can reach the rest of the world when he’s so inclined. The one item he does not have is a cellphone. From my point of view, those things are crazy expensive, particularly given a kid who is not fond of leaving the house! Plus, when he is out & about, he’s generally with family members who have their own cellphones to stay in touch.

That did leave three holes, though:

  1. He was missing out on having his own private telephone number for chats with friends;
  2. He did not have ordinary text messaging normally associated with cellphones; and,
  3. He did not have an immediate way to get in touch with us if he needed us — and vice versa. That meant someone else always had to be in earshot of him and not so over-tired as to sleep through his calling out.

The solution I settled on was to install an office VoIP phone system in our house — one I installed myself.

That sounds daunting, and, like most things, it is or it isn’t depending on your skills and experience. When deploying a system for a business with guaranteed uptime and call quality, large numbers of desk phones and tabletop polycomms, and so forth, there can be a significant effort. For a small deployment in your house, it’s much more manageable. In our case, I run an instance of FreePBX in a virtual machine on my network. There is a separate VLAN for all phone traffic, servicing a few SIP desk phones as well as a small base station handling cordless DECT phones. One of those DECT phones sits next to my son. I have a handful of SIP telephone numbers for different projects, and one of those numbers is assigned to my son’s phone. He can make and receive calls with family and friends like anyone else, and like others his unanswered calls go to his own voicemail.

Inside the house, we have our own easy-to-dial extensions that don’t leave the house — that is unless he can’t reach us. For instance, my extension rings at my desk and my DECT phone; if I don’t answer, he can leave a message or press a button to try my cellphone. My daughter has a “virtual extension” so when my son dials that extension, it forwards directly to my daughter’s cellphone. And, just in case, there’s even one extension that rings us all in a ring group.

Similarly, we can call him with a hard-to-ignore ringing.

In addition to the physical phones, naturally there are free softphone clients that run on dekstops / laptops on the network. When away, they run surprisingly fine through a VPN.

There is of course no cost for calls inside the system; calls that leave cost around maybe $0.01 per minute — negligible for a kid who doesn’t chat much, and nearly free when compared with the cost of a cellphone for the same.

Text messaging and MMS (texts with pictures) was another story. For that, the VoIP provider provides an API for your software. It’s been an adventure, but I did write some software and now I do have in-house software running allowing us live texting inbound and oubound through a web browser. It’s a start!

Overall, this project had an immediate and profound impact on the entire family’s dynamic and outperformed other solutions such as Amazon Alexa’s “drop in” feature. How could it help other handicapped folks? The elderly? The physically separated? Imagination is the only limit.

The moral of the story? A lot of the work we do for commercial clients can be repurposed to help folks in need. You don’t have to be a charity to help: Charge a commercial client one dollar more if you have to; spend it doing the same work for people in need.

Threatened #usecase

When considering any system, it’s sensible to get a firm grasp on how the system will be used. This clarifying exercise helps define the bigger picture and put everyone on the same page. Here’s a first stab at a “use case” for Sanctuary IdP. We’ll see how that may boil down to requirements for our system.

An individual arrives at our facility. She’s afraid her significant other has been gas lighting her, giving hints that her conversations have not been private as she thought. She needs a safe haven and people to talk to. She needs to know that she’s not losing her mind since it’s quite possible her phone and her laptop have been compromised. She needs a private phone line to communicate with her friends and perhaps a lawyer or police, and she needs access to a phone on site not previously attributed to her. She needs voicemail to retrieve missed messages when she returns to the safe phones. Text messaging may be important, even if only from the facility. She needs a separate email account right away that will persist through her ordeal, perhaps clean file storage for documents, and she needs a clean computer to use to access that account, at least while at the facility.

If in fact the technology she uses is targeted, then so may be the facility’s tech. It must be solid and secure to keep her, staff, and others, safe.

While our use case has threat and intrigue, when viewed dispassionately, the underlying basic technical requirements don’t seem to vary too much from those to set up a small-to-medium-sized business office. Differences may include the need for heightened security and perhaps a sensitivity to cost and the system’s physical footprint.

We’ll work through those soon. In the meantime, can we imagine other “use cases” — scenarios that we might want to address?


I remember days settling in with one of the public terminals, logging into Twitter, and making a simple post: “#sanctuary”. For my very few followers in-the-know, it was an indicator that I was at the local public library getting some work done and available for distraction.

The hashtag carried a heavier substance, though. At a time in my life when I found myself on the wrong side of the haves and the have nots, the library really was my sanctuary: It was a place where I could check my email and search for jobs. It was a change of scenery, temporarily leaving a mindset of despair behind to put in a shift with hope. It was a place to discover that I wasn’t alone as I sat alongside other middle-aged engineering-types who looked lost outside their cubicles in the middle of the day. It was also a reminder that we were not the worst off; there were regulars there who were far more dependent upon the library’s ancillary services than we were: the homeless, the elderly, the mentally ill, the “illegals,” and others. The library was their sanctuary too.

Working though my own issues, I happened upon a local zen center one early midweek morning and knocked on the door. I was met by a fellow who threw on his robes and invited me in to sit with him. Over the course of a few years this place became another sanctuary for me, and I worked with what little leverage I had to make it a sanctuary for others as well. Whether that was successful is an open question, but there were certainly “lessons learned.” From a technical standpoint, it was clear that people seeking a safe haven from one thing or another in their lives often need safe ways to communicate. We took initial steps toward ensuring the facilities had free internet access and that those in a need had an email address provided by the organization. In retrospect, this combined with a monk giving “dharma names” for those dedicated to the practice had the makings of a rudimentary “identity provider:” The center vouches for these individuals through association and knows them by these names.

Wandering the grounds of a local Franciscan shrine–yet another local sanctuary–I considered how more and more often I’ve encountered people without a voice. Whether they lack the means or the wherewithal to speak and to speak freely; whether they find themselves in an environment hostile to what is in their hearts; or whether there are actual technical measures taken against them to suppress, to track,to spy upon, or to threaten them; it’s important not only to offer a safe space, but also a voice inside a sanctuary’s community.

A library. A zen center. A church. A homeless shelter. A battered spouse shelter. A community center. A support group. There really is no shortage of mutually supportive communities who know and vouch for one another that may benefit from the ability to offer safe, inexpensive, individual communication services for those who need them. With identity established within the group, the members can enjoy near anonymous service facing outside. A group may offer whatever level of protection they wish while holding the individual accountable against abusing the protection and the services.

So, what if the library staff could say, “Papers or not, I know that person is a regular here.” What if, while on site, that person could make and take phone calls and check voicemail from an individually assigned phone number? Send and receive text messages through a web application? Communicate securely with other members of the group? The community provides sanctuary, a safe identity, and various services within the community. That’s my rough initial thinking for Sanctuary IdP.

Forward? The notions of “sanctuary” and “refuge” continue to hold a special meaning for me, both in the offering and in the receiving. I’m not always able to provide a physical place, but I can sometimes offer in skills, experience, or other resources. For now I’ll just state the intention here. Call it a “vanity project,” but maybe for a good cause. I’ll document my plodding progress, and maybe it will attract some interest, attention, and help.

Who knows? We’ll see where it goes.