Configuring Atlassian Cloud Single Sign On for ADFS 3.0

Atlassian don’t officially support AD FS with Confluence Cloud – but it is working well now I’ve sorted out the issues I was having passing user’s email address through as the nameId claim. Hopefully these instructions can save you some trial and error.

Enable SAML on Atlassian Cloud

  1. First off – enable SAML on your Atlassian Cloud instance at https://<subdomain>
  2. The Identity Provider Entity ID can be found in the Federation Service Properties in ADFS – but typically will look like mine –
  3. Identity Provider SSO URL can be found in  AD FS Service > Endpoints – look for the SAML 2.0 type, but it should just be
  4. Open up your token signing certificate in AD FS, then select ‘Copy to file’ from the Details tab. Save with Base64 encoded as a txt file – then copy the contents into the Public x509 certificate field.
  5. Save configuration

Add Relying Party Trust wizard

  1. Add a Relying Party Trust to AD FS. On the welcome page select ‘Enter data about the relying party manually’
  2. Select a display name – i.e. Atlassian Confluence
  3. Use the AD FS profile (supports SAML 2.0)
  4. Leave the token encryption certificate blank
  5. Enable support for the SAML 2.0 WebSSO protocol – and enter the SP Assertion Consumer Service URL from the Atlassian Site Administration > SAML section. Currently this is:
  6. For the relying party trust identifier, enter the SP Entity ID – currently this is

    Please note, do not be tempted to add additional relying party trust identifiers (I had added some others in here which caused it not to work)

  7. Optionally configure multi factor authentication settings

Configure the claim rules

  1. First create a rule to send attributes from Active Directory to Atlassian Cloud. I think the only mandatory claim is the email address.
  2. Next, add a second rule to Transform an incoming claim
    (this is another step I hadn’t figured out the first time I tried to configure SAML – without this step it seems like ADFS doesn’t use the right format for the outgoing name ID).

Test it out

I haven’t got Identity Provider initiated sign on working yet (via the /adfs/ls/idpinitiatedsignon.aspx) – but if you use a RelayState URL – and then put this in your corporate bookmarks etc it should work nicely (replace the <yoursubdomain> part<yoursubdomain>
Posted in Admin Tips | 1 Response

Aeotec Micro Smart Switch & Home Assistant

Several weeks ago my long awaited Z-Wave module for the Pine64 arrived. I managed to get open-zwave  installed on Debian on the Pi, found it was on /dev/ttyS2, but this week ran into trouble setting up my first Z-Wave device, the Aeotec Micro Switch.

Tailing the OZW_Log.txt I could see it get added to the network OK, but it would immediately show as dead. I found some advice online suggesting the security key needed to be added as per the Home-Assistant Adding secure devices tutorial. This did help, but it still wasn’t working right.

Eventually tried pointing the config_path to the openzwave config path – and suddenly things came to life and has been working well since.

  usb_path: /dev/ttyS2
  config_path: /srv/hass/src/python-openzwave/openzwave/config

One Z-Wave parameter on the Aeotec did surprise me – it doesn’t default to reporting to the controller if the switch state has been changed locally (i.e. someone flicks the switch); so the controller doesn’t find out until it next polls.

I called the set_zwave_parameter service on Home Assistant to send a basic report when the state changed, default is 0, 1 sends a message to say something has changed, 2 sends a report showing what has changed.

Enable to send notifications to associated devices (Group 1) when the state of Micro Switch’s load changed (0=nothing, 1=hail CC, 2=basic CC report).
  "entity_id": "switch.ensuite_towel_rail_switch_5",
  "parameter": "80",
  "length": "1",
  "value": "2"
Posted in Uncategorized | Leave a comment

Enhancing Qlik Sense tables with Emojis

I’m a newcomer to Qlik, and am working on implementing Qlik Sense for a hospital. One area I was considering today was how to better communicate to users when there might be something wrong or they need to be aware of with the data they are looking at.

Our data model has quality checks as part of the data load scripts, and was reporting these to various exception flags. Maybe in QlikView this might work because the experience can be more tightly controlled; you could set up a Data Quality tab, add in all of the various exception flags from around the data model and then filter each of the exceptions. But I don’t want to rely on having to do that, let alone if other staff are building any of their own apps.

So I searched for a better solution, for about an hour. My first thought was ‘could I setup an Exception table’, which could have different numbers and exception reasons linked. To be effective though one would somehow have to then have an Exception link table and insert a row dynamically linking back to any rows in any tables which had data quality issues. I’d still like to figure this one out, but this is not a job for today.

Next I considered using bitmask status codes.. you might have come across these before if you’ve ever had to change settings in the registry. That way I could at least use one column in each table as an Exception column, and be able to indicate a number of different exceptions all in the same field. But because of the coding you can still separate it out later (i.e. from a data quality page) to find out what exceptions each row had. Also not a job for today, and I don’t think our Qlik partners would appreciate trying to debug that!

Finally I was going to try appending a written exception into a single column, but again I don’t have enough Qlikfu to figure that one out.

So I reverted to prioritising the exceptions in an if statement, and just setting ‘Exception’ to be whatever reason is matched first.

Unfortunately none of the above solve my original question of how do we warn users about this datum. (I mention all these because I’d love to know what solutions people have come up with, maybe someone out there sees this and things ‘oh I can explain how to do that in a forum post!’)

Next part of the challenge – how do indicate this to the user. My current text exception column is taking up precious screen real-estate and ‘Ex Procedure Has Exception = 1’ doesn’t mean much anyway.

So I thought I would try out using Emojis in Qlik. Couldn’t find anything online except someone having issues with Emojis in source data freezing Qlik

Went to looking for a Warning⚠️ symbol (which looks nice and Yellow and sufficiently warning in Firefox) and pasted this into a string in Qlik Sense. To my surprise it pasted into the editor pane and showed up among the Console font text (I thought at least would have to do some special Unicode /x01513/ string or something to make it work). Thankfully, it survived a Load Data and made it through to the data Table I was working on:

Qlik Sense Emoji Warning/Exception Reporting

In this first screenshot I’ve set the Procedure name up to append a warning Emoji if the procedure has exceptions. I’ll come back to the ‘ApplyMap’ bit later, but either of the lines below would achieve the same result.

Load *,
     // Append warning emoji to procedure name if has exceptions
     [Procedure Name] & If([Procedure Exceptions],ApplyMap('Emoji','warning'),'') As [Procedure]

Unfortunately we can’t set the hover text on the emoji to show what the issue is, so we’ll still need a Warnings tab of some sorts.

(Emoji’s are actually just rendered as text, not images, so there isn’t even an image there to attach hover text to).

Next up the stock order table, wanted to show a quick visual way whether the order was closed or not.

Sure we could use conditional formatting, but that relies on the user configuring it for each table they are building (unless there is some Qlikfu to ‘tag’ a column for conditional formatting, hint hint). Using this method if they add the Closed flag they can see it is closed.

In this instance I set it up as a Dual to retain the 0 or 1 of the underlying data for counting purposes. i.e. running a count on the screenshot below would give you 6.

If(closed, Dual('✔️',1), Dual('✖️',0)) AS [Order Closed],

Qlik Sense Emoji Order Status

Annd you can even sort by or filter on our little picture friends:

Filtering by Emoji in Qlik Sense

They also work in KPIs (to show up nice and big), export to Excel and PDF OK (but don’t look as pretty).

Please note they will look bland on Internet Explorer but should show up nicely in Firefox or Chrome, so you need to test from the devices of your users.

I hope this has given you some ideas on how you might be able to improve communication when you’re stuck using a Table for some reason!

Here is a Mapping to get you started, copy and paste into Data Load script, then select which Emoji you want using ApplyMap.

Of course you can just copy and paste from the Unicode or Getemoji website as well, but this way gives some more control if you want to change things up centrally down the track.

Mapping LOAD * Inline [

Would love to know of other ways you’re doing exception reporting or interesting uses of Qlik Sense!

Posted in Uncategorized | Leave a comment

BLF lights not working after switching Asterisk to version 11

Found a strange issue after switching to Asterisk v11, the BLF buttons on our Panasonic SIP phones stopped working.

Eventually thought it was worth trying setting the ‘presence server address’ which previously hadn’t been set (and in Endpoint Manager is set to blank) to the PBX and the lights immediately started working. Much simpler solution than I anticipated.

Posted in Telephony | Tagged , , | Leave a comment

New UFB ISP option for Greymouth business customers

Today ISP DTS announced availability of their UFB services in Greymouth, providing a compelling option for businesses considering a UFB upgrade. Being a business only ISP you can expect a higher level of service and support than the small business plans offered by other providers (Spark, Snap/2degrees).

Their pricing comes in very competitively at $119/month for 100GB or $149 for unlimited, on a 100/100Mbps connection, and can also provide 200/200Mbps for a little more.

DTS have nearly completed (at the time of writing 1 region to go) a nationwide deployment allowing them to provide UFB services in each area.

I’m not affiliated with DTS in any way, but hope to see a great uptake of UFB in Greymouth and the regions. UFB means New Zealanders (well, those who can get it) have huge opportunities to compete on the global level with digital exports. It means you no longer need your own dedicated phone system or servers, leave that to the experts and focus on more important things.

Posted in Uncategorized | Leave a comment

Factory reset Panasonic KX-UT12x

If you can’t access the web interface to reset a Panasonic SIP phone

  1. Press the Setting softkey
  2. Dial #136
  3. Press Enter, then the down arrow (to select Yes) then Enter/li>

The phone will shortly reboot.

Posted in Uncategorized | Leave a comment

802.1X authentication woes with NPS & EAP

Had a frustrating issue with some UniFi APs where clients were not able to authenticate to the Pro models, but OK to the standard UniFis.

Running a packet capture on the NPS server I could see many Access-Requests arriving at the server with an Access-Challenge immediately being sent back, but the AP would just keep sending the same request and the server was neither Rejecting or Allowing the connection.

If you’re having similar sounding issues, try adding a ‘Framed-MTU’ attribute to the Network Policy settings.

The MS article recommends to use a Framed-MTU of 1344, but ended up settling on 1400. We did had Jumbo frames enabled on the server running NPS role which I think may have been contributing to the problem. Hope this can help someone out!

Framed-MTU Setting



Posted in Admin Tips, Work | Tagged , , , | 2 Responses

KB: User’s print jobs showing as coming from another domain user

We’ve just had a strange problem where print jobs for one of our users were printing out and showing up on the printer as coming from a different username.

Normally, probably wouldn’t matter too much, but they use PaperCut account selection – meaning the popups to select the printer account were displaying on the other users’ screen.

After checking the event logs we noticed Explorer and Spoolsv were connecting to the print server as a different user’s account.

I remembered recently coming across the Windows Credential Manager – so opened up Credential Manager and sure enough, there was a saved network credential for this network server.

Deleting the credentials then restarting the computer has thankfully resolved the issue. First time I’ve run into this problem!

Posted in Admin Tips | Tagged | Leave a comment

Veeam announces free Time Machine equivilent for Windows

Veeam, known for being one of the leading providers of enterprise virtual backups have just announced they will be releasing a free backup tool for desktop users, providing automatic backups to a NAS or other hard drive.

Veeam Endpoint Backup FREE looks like it will be a great set and forget solution, allowing both simple file recovery or bare metal recovery. Using Mac OS X at home with Time Machine, I often wish there was a good free equivalent to recommend for Windows users. I’m sure there are options out there, but I really trust Veeam and it looks like it will be a nice simple product with no pressure to upsell to a paid version (there is none).

Don’t forget you still need an offsite backup – so team this up with a cloud backup, have another hard drive which you rotate offsite or buy a pair of NASes- setup replication and distribute among your family (those 50Mbps upload UFB plans have to be good for something right?).

If backing up to NAS, very good idea to setup another shared folder & separate user account on the NAS specifically for the backups to be saved to. Never ‘map’ this backup folder to My Computer, and your own user account should have read only access to the folder. Hopefully we will be able to configure a UNC path and credentials within Veeam directly. This is to help minimise the possibility of ransomware or other malware which might scan your network for files to delete. I haven’t heard of anything doing this yet, but there is definitely malware out there which deletes or encrypts files on mapped network drives.

First beta will be released in November and scheduled for release in early 2015.

Posted in Tech | Tagged | Leave a comment

Next phase of UFB rollout for Greymouth

Chorus have updated their maps in the last week to show UFB is now available in more areas in Greymouth.
It is still unclear which ISPs will be providing UFB in Greymouth – Snap is probably your best bet currently for home and basic business use; DTS can do business connections and apparently HD are offering both residential and business connections.  I assume Spark will also provide access here soon if they aren’t already. New fiber-only ISP, MyRepublic looks interesting, but they said they need a few interested people to sign up at once before they would install the required equipment in Greymouth.

Darker blue showing UFB availability October 2014

Darker blue showing UFB availability October 2014

Ultrafast broadband really changes the whole way we can think about how we use technology at home and business. At a ~50 user site, the changes we are looking at immediately once UFB is installed include:

    • Moving our email (Exchange) over to Office 365, instead of having to maintain an email server on-site
    • Using Windows Updates directly from Microsoft instead of caching them all on a server locally
    • Switching from a traditional web content filtering + caching solution to a fast, NGFW (Next-generation firewall) to reduce potential points of failure and bottleneck
    • Shifting more phone lines across to Voice over IP
    • Making more use of online backup services

Providing better remote access for staff wanting to work from home

Caution is also required going into the future. If your phone line is switched over to being provided through UFB instead of Chorus copper, you will lose phone access during power cuts. One thing that Telecom (Spark) have been fantastic at in the past is providing an incredibly reliable phone network, even in a power cut corded phones would still work, and even with a cable/fiber cut you were still able to at least call people locally.

Of course this is less important for some people these days with most people having cell phones, but we know from the Christchurch earthquake that cellphones a) also need power and b) get overloaded so can’t be relied upon.

The good news is that Spark currently aren’t requiring you to give up your landline, this will change in the future. When it does change, make sure you buy a good quality UPS (uninterruptible power supply) which could at least keep your phone running for a few hours. Let’s hope that they come up with a good quality, affordable UPS at the time that Spark start switching people over.


Posted in Greymouth, Tech | Tagged | Leave a comment