IAM/CoSS Work Week – JAN 2017

Last week people from various Mozilla teams got together in Berlin for a work week on Identity and Access Management (IAM) as well as Community Support Software (CoSS).


Following up on work done throughout 2016, we

  • updated project visions,
  • populated backlogs,
  • resolved technical integration questions,
  • created roadmaps,
  • and defined integration milestones.

Lastly, we came out of the week with broad and deep shared understanding on these two projects and their envisioned impact on Mozilla’s mission.

Day 1

As people had to travel from many places in Europe and Northern America to the work week we used day one to get to know each other, set expectations and introduce project metaphors.

IAM Metaphor

Access management is strongly related to “levels of trust” of people involved in an initiative. In the past, this was usually modeled by relying on the “onion model” of Mozilla Communities. Moving forward, we believe that trust is better modeled using a Community Garden metaphor.

IAM Community Garden Metaphor.png

Some of the base principles driving this metaphor are:

  • Each contributor is a plant in the community garden
  • Mozilla is the environment providing resources that make plants grow (water, soil, rain)
  • The gardeners are the onboarding program members
  • Each group has a different level of maturity, like the plants
  • Levels of trust are represented by the depth of roots

CoSS Metaphor

Diving into Community Support Software, a Utilities metaphor closely resembles our project goals. Right now various Community Support websites are like cabins in the woods, from the outside they all look a bit different. But at the core, they have a lot of similar needs. Taking a holistic approach to these products will allow us to develop robust technologies to service all. So instead of us living like we are all cabins in the woods. We will set up “public utilities” (sewage pipes, power, heating) that can serve the community. And we’ll make sure all the utilities (identity, event management, content management, etc) can work together, can scale, and support openness.

CoSS Icon 2.png

Participants evaluated the Day 1 Return-On-Time-Invested (ROTI) at 4.7 (on a scale of 1 to 5).

Day 2

During the second day we split in two streams

  1. Identity & Access
  2. Community Software

The Identity & Access stream created a very rough story map for the work to be done during the coming months. The Community Software stream identified, refined, and shaped a shared language among program managers, product managers and software engineers.

Together we agreed on various communication and collaboration processes and expressed our intent to run the projects in a Scrum-like development approach, allowing us to inspect and adapt as we go. This set us up to co-create a strategic vision for the two projects.

IAM Vision

Mozilla’s Identity and Access Management (IAM) project builds a secure, easy to manage, and appropriate authentication and identification service for all of Mozilla and its community, which enables seamless communication & collaboration between staff and volunteers.

It is an integral element of the Community Support Software project and an essential building block to Mozilla’s goal of making radical participation a strategic advantage.

This will be achieved by


  • providing an easy, safe, and consistent user experience
  • allowing for services to be expanded and focused based on level of trust or role
  • using the same IAM platform and tools
  • establishing organization-wide data consistency
  • reducing IAM management tasks

In 2017 IAM will expand the unified sign-up/login experience to all users and provide a common platform linking identity & access management for employees and volunteers.

CoSS Vision

The Community Support Software, CoSS for short (previously VMS or MozNet), provides the tools needed for people to contribute to the issues [could be tech or mission] they care about through Mozilla. A simple, transparent, guided and personalized User Experience ensures that work is surfaced, strategic, done with clear accountability. It will have a near seamless experience with other Mozilla communication and collaboration tools.

Additionally, the CoSS facilitates and enhances the staff/volunteer relationship, allowing for staff or Volunteer Leaders to identify, recognize, and support people at a variety of levels and contribution types.

In 2017, we will create the start of a solution through iterative prototyping with local clubs. With the goal to build key functionality to solve programmatic  needs in a way that is scalable for other teams.

Participants evaluated the Day 2 Return-On-Time-Invested (ROTI) at 3.6.

Day 3

By now we switched from “going broad” to “going deep”. This resulted in various break-out sessions, cross-pollination between the  work streams, and continued refinement of the overall picture.

In the early afternoon we spent time on a real-life user experience journey. Showing a Mozilla Club Captain’s journey from a Tweet to the website to his/her email inbox and all the back and forths happening in between. This was a fun and enlightening exercise.

The picture below shows Gene (the Club applicant) talking to Lucy (the website). Not pictured is Julia (the email inbox). The blue flag Alan is holding up signals confusion at this particular interaction step.

UX Journey.png

Participants evaluated the Day 3 Return-On-Time-Invested (ROTI) at 3.8.

Day 4

Throughout the day we continued to answer the hard questions. This included refinement of story maps, identification of personas, prototyping and stating product assumptions.

We also used the afternoon to check in with some of the core stakeholders: CRM/lifecycle marketing, MoFo leadership, IT leadership, Open Innovation leadership. Future stakeholder meetings are planned with the People team and others.

Participants evaluated the Day 4 Return-On-Time-Invested (ROTI) at 4.0.

Day 5

The final work week day. This is where our roadmaps came together. The pictures below are rough and should provide a high level overview. Work for the coming weeks will be based on these roadmaps.

Concluding the work week we are excited to be at the start of this implementation journey!

IAM Roadmap


CoSS Roadmap


Participants evaluated the full week Return-On-Time-Invested (ROTI) at 4.8.

Closing Remarks

A huge thank you to the work week participants, sponsors and organizing committee. It was great to see that 23 people were able to set aside an entire week of their busy schedules and join us in-person. The many “Aha!”moments and actionable outcome speaks for the week’s success.

Now it’s time to switch into delivery mode and ship value. We aim to get as much done as possible in the remainder of Q1 and until we all meet again at the next All Hands. Onwards!

Work Week team.png

PS: If you want to continue the conversation, please join us on Discourse at the Participation Systems Program category.

HTTP 400 (Bad Request) on Mozilla’s Auth0 Passwordless Login

As previously mentioned, Mozilla decommissioned Persona and moved to Auth0 as authentication provider. During the past days, we received reports that users were returned HTTP 400 (Bad Request) upon login. With KaiRo‘s help we tracked down an issue in Auth0‘s plain text URL encoding. Awesome find! Big kudos to KaiRo!

For full details, please read on.

Steps to reproduce

  • Open reps.mozilla.org
  • In the top right, select Login
  • On Mozilla’s Auth0 Log in page, select Log in with Email
  • Enter your email address
  • Press Send Email
  • In your mail open the message from Mozilla SSO and view source
    • In Gmail: Options > Show original
    • In Thunderbird: View > Message Source (or ⌘U)
  • Take the login URL from section “Content-Type: text/plain” and paste it into your browser
  • A web page displaying “Oops!, something went wrong” is loaded

User-facing error message

Upon clicking the login URL from the text/plain content, the browser:

  • Opens a URL starting with https://auth.mozilla.auth0.com/passwordless/verify_redirect
  • The web page says “Oops!, something went wrong
  • Clicking on TECHNICAL DETAILS > See details for this error shows: invalid_request: missing client_id parameter

Auth0 HTTP 400.png

Root cause analysis

The passwordless authentication email full message looks like this (simplified content):

Content-Type: multipart/alternative;
From: Mozilla SSO <noreply@sso.mozilla.com>
Subject: Welcome to reps.mozilla.org
X-Mailer: nodemailer (2.3.0; +http://nodemailer.com/; SES/1.3.0)
Date: Tue, 13 Dec 2016 16:07:34 +0000

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Welcome to reps.mozilla.org!

Click and confirm that you want to sign in to=
 reps.mozilla.org. This link will expire in five minutes:

ps.mozilla.org%2Foidc%2Fcallback%2F [other parameters removed for privacy]

If you are having any issues with your =
account, please don't hesitate to contact us by replying to this mail.


Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.=
<html xmlns=3D"http://www.w3=

[Content removed for sake of readability.]

The relevant part is the text/plain section. The URL parameters are encoded incorrectly. Instead of a simple & (ampersand), the parameters are concatenated via a HTML encoded ampersand (&amp;). This breaks the URL, resulting in the HTTP 400 (Bad Request).

Next steps

We opened a ticked with Auth0 and expect this to be fixed soon.


Kudos to KaiRo for reporting and tracking this down.

Awesome Mozilla InfoSec team for following up and keeping the energy level high!


(Fun) Your Daily ‘We Are The World’ Reminder

Mozilla is a distributed place. About a third of its workforce are remote employees or remoties. So we speak to each other a lot on video chats. A lot.

Some paid contributors still have hobbies aside from working on the Mozilla project. For example, there’s the enterprise architect who is a music aficionado. There’s a number of people building Satellite Ground Stations. And I am sure we have many, many more pockets of awesomeness around.

And of course there are people who record their own music. So if you own a professional microphone, why not use it to treat your colleagues to a perfectly echo-canceled, smooth and noiseless version of your voice? Yay!

This is the point where I am continuously reminded of the song We Are The World from the 80ies. For example, check out Michael Jackson’s (2:41 min) or Bruce Springsteen’s (5:35 min) performances. This makes my day. Every single time.


PS: This article was published as part of the Participation Systems Turing Day. It aims to help people on our team who were born well past the 80ies to understand why I am frequently smiling in our video chats.

PPS: Oh yes, I confused “Heal the World” with “We Are The World” in the session proposal. Sorry for this glitch.

PPPS: Thank you to you-know-who-you-are for the inspiration.

Autonomy, Mastery & Purpose at Mozilla’s Participation Systems

This week I was reminded of Dan Pink’s Drive and it’s key message: Autonomy, Mastery & Purpose. We are doing some work on Mozilla’s Moderator application: infrastructure migration, decommission Persona, and give it a visual refresh.

It’s the first part that held a strong lesson.

In the past, the Moderator site scored an F in the HTTP Observatory, a way to measure a server and application web security. Following the migration, the site now scores A+. By the way, you can always verify this yourself.


What I Learned This Week:

  • Autonomy: Provide a team with autonomy over it’s entire product value chain and be surprised of the cool stuff that happens.
  • Mastery: Going to A+ wasn’t an acceptance criteria. It’s our intrinsic motivation which helps us be better every day.
  • Purpose: The Mozilla Manifesto provides us with a great set of shared values. In this case it was probably principle #4 on treating individuals’ security which served as North Star.

Of course the same Observatory rating could have been achieved on the old infrastructure. We just never did. It’s probably the perfect storm of a cross-functional team operating in autonomy, growing mastery and with a clear sense of purpose that made it so easily possible.

Blessed to be working on the Participation Systems team.


On Mozilla’s identity and access management (IAM) initiatives

(Cross-post from Mozilla’s discourse.)


This document describes some of Mozilla’s activities in response to the decommissioning of Persona. It describes the change taking place in many of our web properties. Additionally the document provides a short overview on Mozilla’s broader identity and access management (IAM) initiatives.

Summary (TL;DR)

  • Persona will be decommissioned on NOV 30, 2016.
  • Our new authentication provider is built with Auth0 at its core.
  • All Participation Systems properties (reps.mozilla.org, mozillians.org, moderator.mozilla.org and others) will be using Auth0 moving forward.
  • Using this new authentication provider, Mozilla will transition many of its web properties that use Persona today to provide both
    • password-less email login for all profiles on Mozillians.org and
    • LDAP login for staff.
    • Additionally, some web properties will offer select social logins (e.g. Google, GitHub).
  • Moving into 2017, Mozillians.org will be fully integrated with Mozilla’s LDAP. This will enable volunteers and paid staff to collaborate using some of the same platforms and tools.

Persona Replacement (aka IAM Package B)

As previously mentioned on mozilla.dev.identity [Jan 12 2016 and Oct 13 2016], Persona is slated for decommissioning on November 30th, 2016.

Mozilla will not offer a public-facing authentication service like Persona after November 30th. Information for website owners to migrate their sites away from persona.org can be found on the wiki.

Many of Mozilla’s web properties (some of them listed below) will replace Persona with a new authentication provider based on Auth0. This means that Mozillians will be able to authenticate on many Mozilla sites using password-less email login, or select social logins (e.g. Google, GitHub). Staff members can continue to use their LDAP credentials on these sites. This transition includes, but is not limited to: Mozillians.org, Discourse, Moderator, Reps Portal, and Air Mozilla.

For the web properties maintained by the Participation Systems team (Discourse, Moderator, Mozillians.org, Reps Portal) this bucket of work is often referred to as “IAM Package B” and can be tracked on the team’s Kanban board. Package A was a technical proof of concept which successfully ended in September 2016.

Mozillians.org LDAP Integration (aka IAM Package C)

Looking towards 2017 we plan to integrate Mozillians.org with LDAP, to facilitate group management and access control for both paid staff and volunteers. This endeavor is often referred to as “IAM Package C”. Connecting these two systems will allow us to offer a single access management system for all Mozillians, volunteers as well as paid staff. We are still designing this new system and will share additional details in the coming months.

This groundwork will eventually allow us to differentiate collaboration tools’ access levels based on project needs instead of employment status. Think about the ability to provide document access to a hybrid project group of volunteer and staff contributors. This is a natural next step in our work as a radically participatory organization.

Feedback welcome!

This article hopefully provided insight into Mozilla’s currently running and planned activities around identity and access management. We invite you to continue the conversation at this discourse post.

Back at the Front at #push16

During the last two days Mozilla had a booth at push.conference 2016 in Munich. Push unites creative coding and user experience design, by offering a platform for designers, developers and UX professionals.

Elio, George and I represented Mozilla. To put it in George’s words:

Among the things we presented to booth visitors were:

Here’s what I learned this week:

  • Be there, talk and -most importantly- listen to people. It’s exhaustive and rewarding. Totally awesome.
  • On the Innovation Toolkit:
    • The toolkit allows us to open a conversation with a whole range of new (potential) contributors: experience designers, visual designers, and many other creative types.
    • We are missing a creative commons content license. This is a bug and will hopefully be fixed soon.
    • People have not heard of the toolkit yet. We need to be louder about it.
    • Students and higher-education teachers are really interested in this.
    • Seasoned professionals identified it as a great “quick reference” source.
    • We need to become better at explaining WHY Mozilla has created this innovation toolkit and WHAT’s the Mozilla’iary aspect of the toolkit and HOW it is used inside and outside Mozilla.
  • On the EU Copyright Campaign: People like it. Many can’t believe how broken current copyright rules are.
  • On the Equal Rating innovation challenge: Again, people really like the idea. Students and university teaching staff are very receptive on potentially running creative projects around that topic.
  • On the Mozilla Festival: It would be great to get the word out to more designers and UX professionals to join us at #MozFest.

Overall, a great couple of days.

Update: Elio’s post has some additional details on #push16 itself.

Overwhelming Response

This is the end of week 1 as Mozilla employee. Here’s What I learned This Week

An Overwhelmingly Positive Response by Mozilla Reps

Before joining Mozilla, I sent a message to all Mozilla Reps asking for their opinion on my role in this hybrid volunteer-and-staff-driven community empowerment program:

Dear Reps,
Dear Mentees,
Dear Council,
Fellow Peers,

on Monday 05 Sept, 2016 I will become a Mozilla employee. Following almost 15 years as a volunteer Mozillian I was offered the opportunity to take this new perspective on the Mozilla Project. My job title is Participation Strategist and I am part of the Participation team reporting to George.

At this moment I hold various roles in the Reps Program:
– Rep
– Mentor
– Module Peer

In my role as a Reps Peer, I have aimed to serve the ReMo program by setting direction and execution on strategic questions.

Moving forward, I’d like to continue contributing to ReMo. I anticipate that my actions will be influenced by the fact that I am a staff Mozillian. Of course I hope that this “bias” will be positive for Reps. At the same time I accept that people are sceptic of too much employee involvement in the program.

For this reason I put my roles in the ReMo program at your disposition. If anybody wants to veto against me being in any or all of the above mentioned three roles, please send a message to our Module Owner Ioana (in CC) and she will take the necessary action ensuring your privacy.

Let’s keep rocking the Open Web.

Always at your service,
Mozilla Rep, Mentor, Peer and soon employee

The answers blew me away. There were responses from many parts of the world congratulating me on becoming Mozilla staff. A huge thank you to the Reps from Uganda, Germany, Bangladesh, Taiwan, Malaysia, India, Hong Kong, Mauritius, Ivory Coast, US, Venezuela, Belgium, Tunisia, France, Italy and many others.

An Overwhelming Positive Response on Social Media

Also, as soon as I tweeted and posted a Facebook update, lots of positive feedback arrived.

To all of you who thought of me and dropped me a line: Thank you! I am blessed to be serving our mission to ensure the Internet is a global public resource, open and accessible to all.