Grouper Provisioning Plugin

The Grouper Provisioning Plugin provisions groups and memberships in groups to an Internet2 Grouper instance using the Grouper web services interface.

Operations

Registry CO Person Transaction

Grouper Action

Add

None

Edit

Synchronize CO Person CO Group memberships with Grouper

Enter Grace Period

None

Expiration / Becomes Inactive

Synchronize CO Person CO Group memberships with Grouper

Unexpire / Becomes Active

Synchronize CO Person CO Group memberships with Grouper

Delete

De-provision CO Person CO Group memberships from Grouper

Manual Provision

Synchronize CO Person CO Group memberships with Grouper

Petition ProvisionProvision CO Person CO Group memberships to Grouper
Pipeline ProvisionProvision CO Person CO Group memberships to Grouper

Registry CO Group Transaction

Grouper Action

Add

Provision CO Group record (including memberships) to Grouper

Edit

Provision CO Group record (including memberships) to Grouper

Delete

Delete CO Group record (and memberships) to Grouper

Manual Provision

Provision CO Group record (including memberships) to Grouper

Provisioning of groups from Registry into Grouper is per CO with all groups for a CO provisioned under a single (configurable) stem or folder in Grouper. All groups in Registry, with the exception of the 'admin' and 'members' groups for COUs, are provisioned directly under the configured stem or folder for the CO. The 'admin' and 'members' groups for COUs are provisioned into a stem or folder hierarchy that mirrors the COU parent-child relationship (if any) in Registry.


If you plan for users to access the Grouper UI and for that access to be managed using COmanage Registry, we recommend you create a CO unique identifier and use it as the expected identifier that the Grouper UI will see and map to subjects (Grouper users).

A change in the COU hierarchy in Registry, such as changing a parent-child COU relationship or deleting a COU parent, will not be reflected in Grouper. At this time the Grouper web services component does not support moving stems or folders. A request to the Grouper team to implement such a feature for the web services component has been made (CO-1043). We do not recommend changing the COU parent-child relationships once established when using the Grouper Provisioner. Renaming COUs and deleting COUs (with no children or roles) is supported.

Grouper Configuration

CO Group names become both the Path and ID Path for groups in Grouper, and COU names become both the Path and ID Path for stems (folders) in Grouper. In Registry both CO Group names and COU names may contain spaces and other non-alphanumeric characters.

Using CO Group names and COU names with characters outside of the set a-zA-Z0-9 is not recommended since by default Grouper version 4.x and higher restricts ID Paths to alphanumerics, underscore ( - ), and dash ( - ).

If you wish to use CO Group names and COU names with spaces or other non-alphanumerics you will need to configure Grouper to accept a wider set of characters for group and stem ID Paths. See the properties

  • group.validateExtensionByDefault
  • stem.validateExtensionByDefault

in the grouper.properties configuration (MIscellaneous > Configure > Configuration files > grouper.properties). 

This Grouper Jira issue may also be helpful.

COmanage Registry Configuration

We recommend that before configuring a Grouper Provisioner for a CO you have already enrolled or onboarded at least one user to create a CO Person record with an active status.


  1. Test the Grouper WS.
  2. Configure the Grouper Provisioner Plugin.
  3. Configure Grouper subject source.
  4. Intial Reconciliation and Testing.
  5. Configure SSO access to the Grouper UI for users.
  6. Configure Grouper Provisioning Framework to provision to LDAP.