Skip to content

Posts

Thoughts on cloud architecture, AI and Analytics, cyber defense, and real-world systems.

Posts

From Month-Long Mission to One-Week Victory: How Gen AI Transformed My Development Workflow

The Challenge: A Complex Reporting System with Limited Documentation

I was assigned what seemed like a straightforward task: update the drinking water quality report on the CRD public website. What I discovered was anything but simple.

The reporting solution was a complex ecosystem involving: - Crystal Reports for the presentation layer - SQL Server stored procedures for data processing - Azure DevOps managing dev, QA, and production environments - Three stored procedures containing over 3,000 lines of code

The biggest hurdle? Limited documentation. I was essentially navigating a maze without a map.

Traditional Approach: The Week-Long Code Review

Under normal circumstances, this task would have required: - Manual code review: 5-7 days just to understand the existing logic - Architecture verification: Additional time to map relationships - Testing and validation: Another week for comprehensive testing - Implementation and deployment: Final week for fixes and deployment

Total estimated timeline: 4+ weeks

The Gen AI Game-Changer: GitHub Copilot to the Rescue

Instead of spending a week manually reviewing code, I turned to GitHub Copilot. Here's how it transformed my workflow:

1. Rapid Code Comprehension

I fed the stored procedures to Copilot and asked it to explain: - Tables used: Which database tables were being accessed - Join relationships: How different tables connected - Parameters and values: What inputs the procedures expected - Business logic: What the code was actually doing

What would have taken me a week of manual analysis, Copilot explained in hours.

2. Architecture Mapping

Copilot helped me understand: - The Crystal Reports to SQL Server integration - How Azure DevOps pipelines managed environment deployments - The data flow from database to web presentation

3. Code Analysis at Scale

With 3,000+ lines of complex SQL, manual review would have been error-prone and time-consuming. Copilot: - Identified potential performance bottlenecks - Highlighted redundant code patterns - Suggested optimization opportunities - Explained complex business rules embedded in the SQL

The Results: One Week vs. One Month

Before Gen AI:

  • Code understanding: 1 week
  • Architecture analysis: 3-4 days
  • Fix implementation: 1 week
  • Testing and validation: 1 week
  • Total: ~4 weeks

With Gen AI:

  • Code understanding: 1 day
  • Architecture analysis: 1 day
  • Fix implementation: 3 days
  • Testing and validation: 2 days
  • Total: 1 week

Key Productivity Gains

1. Accelerated Learning Curve

Gen AI acted as an expert mentor, explaining complex code patterns and business logic that would have taken me weeks to decipher manually.

2. Error Reduction

By having AI explain the code structure and relationships, I reduced the risk of misinterpretation that often comes with manual code review of complex systems.

3. Confidence in Implementation

Understanding the full context before making changes meant I could implement fixes with confidence, knowing I wasn't breaking existing functionality.

4. Better Testing Strategy

With comprehensive understanding of the codebase, I could create more targeted and effective test cases.

Practical Tips for Using Gen AI in Legacy System Maintenance

Based on my experience, here's how to maximize Gen AI for similar tasks:

1. Start with High-Level Questions

Ask the AI to explain the overall purpose and structure before diving into details.

2. Break Down Complex Code

Feed smaller sections of code to the AI for detailed analysis rather than overwhelming it with everything at once.

3. Verify AI Explanations

Cross-reference AI explanations with your own understanding and any available documentation.

4. Use AI for Documentation Generation

Have the AI create documentation for future reference - this helps the next person who encounters the system.

5. Leverage AI for Testing

Ask the AI to suggest test cases based on the code logic and business rules it identifies.

The Bigger Picture: Gen AI as a Force Multiplier

This experience demonstrates that Gen AI isn't just about writing code faster—it's about understanding complex systems more effectively. In legacy system maintenance, where documentation is often scarce and business logic is embedded in thousands of lines of code, Gen AI becomes an invaluable tool for:

  • Rapid onboarding to unfamiliar codebases
  • Knowledge transfer from departing team members
  • Risk reduction in system modifications
  • Accelerated delivery of critical updates

Conclusion: A New Paradigm for Development Productivity

What used to be a month-long odyssey through complex legacy code became a focused week of targeted implementation. Gen AI didn't replace my expertise—it amplified it, allowing me to apply my skills where they mattered most rather than getting bogged down in code comprehension.

For organizations dealing with legacy systems and limited documentation, Gen AI tools like GitHub Copilot aren't just nice-to-have—they're essential for maintaining productivity and delivering value in reasonable timeframes.

The question isn't whether we can afford to adopt Gen AI in our development workflows. The real question is: can we afford not to?

Sound Alarms for Rec Center Productivity

Date: 2026-01-27 Tags: productivity improvement, requirement anaysis, solution implementation

TL;DR: In a one-month initiative, configuring a distinctive "invalid pass" audio cue within the existing access-control stack reduced service friction and improved staff response times and member satisfaction at two recreation sites.

Context

Recreation centers operate under continual operational pressure: staff manage check-ins, inquiries, facility issues, and safety concerns simultaneously. During busy periods, a failed barcode scan can go unnoticed while staff attend to higher-priority tasks, producing avoidable delays and a degraded member experience.

The visibility problem is particularly acute at peak times, when every second of unattended waiting contributes to longer queues and increased staff stress.

The Common Mistake

Organizations often treat this problem as inevitable and default to costly or suboptimal remedies: - Increase staffing levels (expensive) - Ask members to be patient (poor customer experience) - Install additional visual alert hardware (overkill)

These responses frequently overlook lower-cost, higher-impact alternatives available in existing systems.

What Actually Works

This case demonstrates that targeted configuration changes—rather than new hardware or staff—can resolve operational inefficiencies.

Platform Research: - The SaaS platform (PerfectMind XR) supports configurable audio profiles. - Preset profiles include attended, unattended, and other event-specific sounds. - The local client (PMScan) handles sound playback and enforces client-side settings.

Technical Investigation: - The barcode scanner raises an event that flows through the gate control and client application. - Audio settings must be aligned between the cloud profile and the local client configuration. - The PMScan client requires a restart to apply cloud-side configuration changes—an important deployment consideration.

Implementation Strategy: 1. Update the cloud audio profile to assign a distinctive "unattended/invalid pass" sound for failed scans. 2. Ensure the PMScan client is configured to use the updated profile. 3. Coordinate brief client restarts during low-traffic windows at both sites. 4. Provide concise staff guidance on the new audio cue and expected response.

The deployment across two sites—including verification and staff orientation—completed in under a month.

A Practical Rule of Thumb

Audio-first problem solving: before adding people or purchasing equipment, inventory the capabilities of your current systems. Many platforms include configurable behaviors that are underutilized and can deliver immediate operational benefits.

Ask: which detected events already exist in the system, and are their default notifications effective in your operational environment?

Closing Thought

Meaningful productivity gains often stem from deliberate configuration and process adjustments rather than new technology. In this instance, a single, well-chosen audio cue eliminated routine friction at the front desk, improved throughput during peak periods, and improved the experience for both staff and members.

  • 6 min read

Enterprise SSO with Microsoft Entra ID for Rec Centers

Overview

Successfully implemented Single Sign-On (SSO) integration for 4 recreation center sites across 8 environments (production and training) using Microsoft Entra ID and ADFS SAML. This comprehensive guide covers the entire implementation journey from planning to deployment.

Project Scope

  • Sites: 4 recreation center websites (Rec Center 1, Rec Center 2, Rec Center 3, and Rec Center 4)
  • Environments: 8 total (4 production + 4 training)
  • Integration: Microsoft Entra ID with ADFS SAML
  • User Management: Active Directory groups with PowerShell automation
  • Timeline: 3-month implementation period
  • Deliverables: Architecture design, rollout plan, SSO runbook, user analysis, automation scripts, testing framework

Project Deliverables

Architecture Design

  • Format: DrawIO diagrams
  • Content: System architecture, SAML flow, network topology
  • Purpose: Technical blueprint for implementation

Rollout Plan

  • Format: Word document
  • Content: Detailed implementation schedule, risk mitigation, stakeholder communication
  • Purpose: Project management and change control

SSO Setup Runbook

  • Format: Word document
  • Content: Step-by-step configuration procedures, troubleshooting guides
  • Purpose: Operational documentation and knowledge transfer

User Analysis

  • Format: Excel workbook
  • Content: Active user inventory, profile analysis, group assignments
  • Purpose: User provisioning and access management

Automation Scripts

  • Format: PowerShell scripts
  • Content: Security group creation, AD user provisioning, group management
  • Purpose: Automated user lifecycle management

Testing Framework

  • Format: Playwright test suites
  • Content: End-to-end SSO testing, user journey validation
  • Purpose: Quality assurance and regression testing

Phase 1: Solution Design and Research

Vendor Collaboration and Solution Architecture

  1. Requirements Analysis
  2. Engaged with vendor support teams to identify optimal SSO solution
  3. Evaluated multiple authentication providers

  4. Selected Microsoft Entra ID for enterprise-grade security and scalability

  5. Technical Design

  6. ADFS SAML integration architecture
  7. Attribute mapping configuration
  8. Federation trust establishment
  9. Security token service configuration

SAML Authentication Flow

sequenceDiagram
    participant U as User
    participant B as Browser
    participant E as Entra ID (IdP)
    participant A as ADFS
    participant RP as Rec Center 1
    participant SE as Rec Center 2
    participant SI as Rec Center 3
    participant PA as Rec Center 4

    U->>B: Access Recreation Center App
    B->>E: Redirect to Entra ID
    E->>A: Authenticate via ADFS
    A->>E: Return SAML Assertion
    E->>B: Forward SAML Response
    B->>RP: Submit SAML to App
    RP->>B: Authentication Success
    B->>U: Grant Access

Security and Privacy Compliance

  • Collaborated with security and privacy teams for design review
  • Ensured compliance with organizational security policies
  • Implemented data protection measures
  • Completed risk assessment and mitigation planning

Phase 2: Planning and Stakeholder Management

Rollout Strategy

Created a comprehensive rollout plan prioritizing risk mitigation:

Implementation Timeline

gantt
    title SSO Implementation Timeline (3 Months)
    dateFormat  YYYY-MM-DD
    section Phase 1: Research
    Vendor Collaboration      :done, research1, 2026-01-01, 2w
    Solution Design          :done, research2, after research1, 2w
    Security Review          :done, research3, after research2, 1w

    section Phase 2: Planning
    User Inventory           :done, plan1, 2026-02-01, 1w
    Stakeholder Engagement   :done, plan2, after plan1, 2w
    Rollout Strategy         :done, plan3, after plan2, 1w

    section Phase 3: Training
    AD Setup                 :active, train1, 2026-02-15, 1w
    PowerShell Scripts       :train2, after train1, 1w
    Entra Configuration      :train3, after train2, 1w
    UAT Testing              :train4, after train3, 2w

    section Phase 4: Production
    CAB Approval             :prod1, 2026-03-15, 1w
    ReC Center 1 Deploy    :prod2, after prod1, 1w
    ReC Center 2 Deploy          :prod3, after prod2, 1w
    ReC Center 3 Deploy       :prod4, after prod3, 1w
    ReC Center 4 Deploy         :prod5, after prod4, 1w
  1. Site Selection Criteria
  2. User volume analysis
  3. Business impact assessment
  4. Technical complexity evaluation

  5. Change readiness assessment

  6. Stakeholder Engagement

  7. Recreation center managers and supervisors
  8. Network infrastructure team
  9. Security and compliance teams
  10. Change Advisory Board (CAB)

User Inventory and Verification

  1. Data Collection
  2. Extracted active users from all production environments
  3. Compiled comprehensive user directory

  4. Identified role-based access requirements

  5. Verification Process

  6. Coordinated with rec center managers for user validation
  7. Confirmed user roles and permissions
  8. Ensured data accuracy before migration

Phase 3: Training Environment Implementation

Active Directory Infrastructure Setup

  1. Group Creation Strategy
  2. Designed hierarchical AD group structure
  3. Implemented role-based access control (RBAC)

  4. Created environment-specific groups for isolation

  5. PowerShell Automation

    • Automated security group creation and management across environments.
    • Consistent AD user provisioning and deprovisioning workflows.
    • Idempotent scripts to prevent configuration drift.
    • Auditable operations via scripted deployments and logging.
    • Fast bulk user and group updates for large directories.
    • Enables repeatable environment setup for training and production.

Network Infrastructure Configuration

  1. Entra Application Setup
  2. Created enterprise applications in Entra ID
  3. Configured SAML integration settings

  4. Established federation trusts

  5. SAML Attribute Mapping

  6. Mapped user attributes between AD and SAML claims
  7. Configured name identifier format
  8. Set up attribute-based authorization

System Architecture

graph TD
    AD[Active Directory] -->|User Sync| Entra[Microsoft Entra ID]
    Entra -->|SAML 2.0| ADFS[ADFS Federation]
    ADFS -->|SAML Assertions| RP[Rec Center 1]
    ADFS -->|SAML Assertions| SE[Rec Center 2]
    ADFS -->|SAML Assertions| SI[Rec Center 3]
    ADFS -->|SAML Assertions| PA[Rec Center 4]

    PS[PowerShell Scripts] -->|Group Management| AD
    WT[Playwright Tests] -->|Validation| RP
    WT -->|Validation| SE
    WT -->|Validation| SI
    WT -->|Validation| PA

User Acceptance Testing (UAT)

  1. Test Plan Development
  2. Created comprehensive test scenarios
  3. Defined success criteria

  4. Established rollback procedures

  5. UAT Execution

  6. Coordinated with recreation center staff
  7. Validated authentication flows
  8. Tested role-based access controls

  9. Documented and resolved issues

  10. Playwright Automated Testing

    • Reproducible end-to-end SSO validation across environments.
    • Automated regression checks for login flows, attribute mapping, and RBAC.
    • Captures traces, screenshots, and video to speed debugging.
    • Reduces manual UAT effort and shortens release verification time.

Phase 4: Production Deployment

Change Management Process

  1. Service Request Preparation
  2. Documented technical implementation details
  3. Prepared risk assessment and mitigation strategies

  4. Created deployment and rollback plans

  5. Change Advisory Board Approval

  6. Presented business case and technical approach
  7. Demonstrated successful training environment implementation
  8. Obtained formal approval for production deployment

Production Deployment Strategy

  1. Phased Rollout Approach
  2. Site-by-site deployment to minimize risk
  3. Real-time monitoring and validation

  4. Rapid issue resolution protocols

  5. Post-Deployment Validation

  6. Authentication success rate monitoring
  7. User experience validation
  8. Performance metrics collection

Troubleshooting SSO Integration

Browser-Based SAML Response Analysis

Step 1: Capture SAML Response
  1. Open browser developer tools (F12)
  2. Navigate to Network tab
  3. Clear existing network traffic
  4. Initiate SSO login process
  5. Look for SAML POST requests in network log
Step 2: Extract and Decode SAML Data
  1. Right-click on SAML POST request
  2. Copy form data (SAMLResponse parameter)
  3. Use Base64 decoder to extract XML content
  4. Validate SAML assertion structure
Step 3: Verify Required Attributes

Ensure the following attributes are correctly mapped: - Last Name: sn or lastName - First Name: givenName or firstName - Email: mail or emailAddress - Profile/Role: role or memberOf - Location: department or physicalDeliveryOfficeName

Common Issues and Solutions
  • Missing Attributes: Check Entra ID attribute mapping configuration
  • Incorrect Values: Verify AD user profile data completeness
  • Certificate Errors: Validate SAML certificate trust chain
  • Time Sync Issues: Ensure IDP and SP system time synchronization

Key Success Factors

Technical Excellence

  • Comprehensive testing in training environment
  • Automated user provisioning processes
  • Robust error handling and logging
  • Scalable architecture design

Project Management

  • Detailed planning and risk assessment
  • Stakeholder engagement throughout the process
  • Clear communication channels
  • Change management compliance

Security Considerations

  • Principle of least privilege implementation
  • Multi-factor authentication enforcement
  • Regular security audits and compliance checks
  • Comprehensive logging and monitoring

Lessons Learned

Technical Insights

  1. Environment Isolation: Separate training and production environments prevent cross-contamination
  2. Automation Benefits: PowerShell scripts reduced manual errors and accelerated deployment
  3. Attribute Mapping: Careful SAML attribute configuration prevents authentication issues

Project Management Insights

  1. Stakeholder Communication: Early engagement prevents delays and ensures alignment
  2. Risk Mitigation: Starting with low-impact sites builds confidence and refines processes
  3. Documentation: Comprehensive documentation facilitates knowledge transfer and troubleshooting

Results and Impact

Quantitative Results

  • 4 recreation center sites successfully integrated with SSO
  • 8 environments (4 production + 4 training) deployed
  • 100% user authentication success rate in production
  • 50% reduction in login-related support tickets

Qualitative Benefits

  • Enhanced security posture with centralized authentication
  • Improved user experience with seamless login
  • Simplified user management through automated provisioning
  • Compliance with organizational security standards

Future Enhancements

Planned Improvements

  1. Multi-Factor Authentication (MFA): Implement conditional access policies
  2. Just-In-Time Access: Dynamic privilege escalation for administrative tasks
  3. Advanced Monitoring: Real-time security analytics and threat detection
  4. Mobile Optimization: Enhanced mobile authentication experience

Scalability Considerations

  • Architecture supports additional site integrations
  • Automated processes enable rapid deployment
  • Flexible attribute mapping accommodates diverse applications

Conclusion

This successful SSO implementation demonstrates the value of comprehensive planning, stakeholder collaboration, and technical excellence in enterprise security projects. The solution provides a secure, scalable foundation for authentication across multiple recreation center platforms while maintaining compliance with organizational security standards.

The project showcases expertise in Microsoft Entra ID, SAML integration, PowerShell automation, and enterprise change management—skills valuable for any organization seeking to modernize their authentication infrastructure.

Connect and Learn More

Interested in discussing enterprise SSO implementations or have questions about this project? Let's connect on LinkedIn to share insights and experiences in identity and access management.

EnterpriseSSO #MicrosoftEntra #SAML #IdentityManagement #PowerShell #Cybersecurity

  • 4 min read

Zero Trust Is Not a Product

Most organizations talk about Zero Trust as a tool.
That’s the first mistake.

What Zero Trust Actually Means

Zero Trust is a design principle, not a SKU. It reframes security from "trust by location or network" to "verify every request, continuously." The goal is to minimize blast radius, reduce implicit trust, and make security decisions based on context and risk rather than binary network boundaries.

Common misconception

  • ❌ Buy a firewall
  • ❌ Deploy ZTNA
  • ❌ Call it Zero Trust

Reality

  • Identity is the new perimeter
  • Authorization is continuous
  • Assume breach

Core Principles

  • Least privilege: grant the minimum access needed for the minimum time. Apply to users, services, and workloads.
  • Continuous verification: authenticate and authorize per request, re-evaluate on change (device state, location, session risk).
  • Micro-segmentation: break networks and workloads into smaller trust zones to constrain lateral movement.
  • Strong identity and telemetry: rely on identity (human or machine), device posture, behavior analytics, and real-time signals.
  • Default deny: deny first, allow with explicit, context-aware policy.

Practical Architecture Patterns

  1. Identity-first access
  2. Use a central identity provider (IdP) for SSO and strong auth (MFA, phishing-resistant methods).

  3. Treat machine identities (service accounts, workloads, k8s service accounts) with the same rigor as human identities.

  4. Policy as code

  5. Express access decisions in code (e.g., OPA/Rego, authorization middleware) so policies are reviewable, testable, and auditable.

  6. Keep policies close to the resources they govern.

  7. Short-lived credentials and automated rotation

  8. Replace long-lived secrets with ephemeral tokens, certificate rotation, workload identity, or short TTL credentials.

  9. Network and workload segmentation

  10. Apply segmentation using enforced policies at the workload or service mesh layer rather than relying solely on perimeter devices.

  11. Telemetry and detection

  12. Centralize logs, metrics, and traces. Use telemetry to detect anomalies and trigger policy re-evaluation or automated containment.

Implementation Roadmap (practical steps)

  1. Inventory & classification

  2. List users, services, data stores, and their current access patterns. Classify data by sensitivity.

  3. Identity consolidation

  4. Consolidate identity sources; adopt MFA and device posture checks. Enforce unique identities and avoid shared accounts.

  5. Pilot: high-value micro-segmentation

  6. Start with a single application or environment. Implement least privilege, short-lived creds, and continuous authorization.

  7. Policy automation

  8. Move ACLs into policy-as-code and CI pipelines. Automate testing and canary rollout of policy changes.

  9. Expand and harden

  10. Roll out to additional apps, add behavioral detection, refine policies with feedback loops.

  11. Measure and iterate

  12. Use key metrics (see below) to validate the program and address gaps.

Example: Access Decision Flow

  1. Request arrives (user or service).
  2. Authenticate identity with IdP (MFA + device posture).
  3. Gather contextual signals (time, location, device health, behavior baseline).
  4. Evaluate policy (policy engine + resource rules).
  5. Issue short-lived allowance or deny; log decision and telemetry.
  6. Continuously monitor session; revoke if risk increases.

Checklist for Teams

  • [ ] Unique identities for humans and services
  • [ ] MFA and device posture checks enabled
  • [ ] Policies expressed as code and in CI
  • [ ] Short-lived credentials in use
  • [ ] Micro-segmentation applied to critical workloads
  • [ ] Centralized telemetry and retention policy
  • [ ] Automated response playbooks for compromise
  • [ ] Regular access reviews and audit logs

Metrics to Track

  • Mean time to detect (MTTD) anomalous access
  • Mean time to revoke (MTTR) compromised sessions/keys
  • Percentage of access controlled by policy-as-code
  • Number of resources using short-lived credentials
  • Reduction in blast radius measured by lateral movement attempts blocked

Common Pitfalls

  • Treating Zero Trust as a single product or bolt-on service.
  • Ignoring service-to-service (machine) identity and focusing only on humans.
  • Overloading policies without telemetry—policy decisions must be observable and testable.
  • Skipping phased rollouts: disruptive, high-risk changes without pilots lead to outages and pushback.

Short Example Policy (pseudo)

  • Allow read access to payroll service only if:
  • identity in payroll-admin group
  • device compliant AND
  • request originates from approved application instance
  • session token age < 15 minutes

Security architecture

The diagram below illustrates core Zero Trust components and the continuous verification flow.

graph TB
  User["User / Identity"] -->|"Authenticate (MFA)"| IdP[Identity Provider]
  Device[Device Posture] -->|Attest| IdP
  IdP -->|"Issue short-lived token/cert"| Token[Ephemeral Credential]
  User -->|Request| Gateway["ZTNA / Network Gateway"]
  Gateway -->|Forward with context| PolicyEngine["Policy Engine (OPA, AuthZ)"]
  Token -->|Presented| PolicyEngine
  PolicyEngine -->|"Allow / Deny / Step-up"| App["Application / Service"]
  App -->|"Sidecar / Mesh"| ServiceMesh[Service Mesh]
  ServiceMesh -->|Enforce micro-segmentation| PolicyEngine
  App --> Telemetry["Logs / Metrics / Traces (SIEM)"]
  Telemetry -->|Feed signals| PolicyEngine
  Telemetry -->|Trigger| Response["Automated Response / Orchestration"]
  Response -->|"Revoke / Quarantine"| Token
  Response -->|Isolate| ServiceMesh

  classDef infra fill:#f3f4f6,stroke:#333,stroke-width:1px;
  class IdP,PolicyEngine,ServiceMesh,Telemetry,Response,Gateway infra;

Conclusion

Zero Trust is an organizational change: people, processes, and architecture must align. The technical components (IdP, ZTNA, service mesh, CASBs, etc.) are enablers, not a substitute for design. Success comes from measurable, iterative improvements: start with identity, codify policy, instrument everything, and assume you'll need to respond rapidly when breaches occur.

Further reading & references

  • Recommend reading materials and standards: NIST SP 800-207, vendor-neutral blogs on identity and policy-as-code, research on micro-segmentation best practices and telemetry-driven response.