Grouper Working Group Notes of September 15, 2021

Attending

Chris Hyzer, Penn, Chair
Chad Redman, University of North Carolina Chapel Hill
Vivek Sachdiva, independent
Shilen Patel, Duke
Emily Eisbruch, Internet2

Discussion

Internet2 Intellectual Property Policy
Approve minutes
Review AIs Grouper Project Action Items (Google Doc)
Agenda bash

Next Grouper release

Plan to release Grouper 2.5 and 2.6 today.

Comments:

Chris: Issue in slack , someone was grouper system, then could not find attribute definition.
Chad: There was an issue where someone did not have attributes created as they need to be
Liam needs example flat group attribute w DN override. Chris will work on that, will look for another script

Chris having Chrome 93 issues
Arizona issue
Over 100 headers
Will use Max 200 headers
Put this fix in container for Grouper 2.5 and 2.6
In next few weeks do Grouper 2.6.1 and include more items the community is asking for

Entitlement prefixes

In provisioning there are validations, Such as: Is this attribute value valid?
not using these validations yet
If Grouper side translate is not valid, then object not provisioned
Should have validation of target values

If target value does not match, do not try to insert
If membership attribute value not valid, treat it like it does not exist

PSPNG has something similar
Shilen: this approach makes sense for entitlement use case
Chris:
Suggests check box says Grouper validation should apply to Grouper and Target
Don’t want to make screen too complex
Want to be flexible
Use two text fields
Question:

you mark a group as provisionable for entitlement but value provisioning is not good, so you reject it?

Response:

For example, Box has required attribute on a group
When Grouper translates it’s not there, so you get an error
Put validations based on the target values
Then don't sync
For entitlements, if you don’t have this prefix,
Grouper will not track or add, update or delete it

This feature says if the value looks like this, then Grouper should delete it
If you don’t have existing values, you don’t need this.
But if you used PSPNG in the past, you may need this
It’s for when Grouper is authoritative for things that match a certain pattern
Need to iron out - flag for error handling
There is an error code in sync object database table: success, exception, required field missing
Need a UI to show success state and break out exceptions and validation problems
GRP-3603
add provisioning target attribute value validation (e.g. for eduPersonEntitlement)

Vivek - JWT RSA authentication

Adding JWT RSA authentication to web service from trusted authorities. See wiki here
There are two or more use cases for JWT

JWTs for a single user to claim they are themselves, and use for authentication purposed (more complicated).
This is not the use case we are addressing, and
Trusted authorities create JWTs for arbitrary users, they register public key with Grouper and upload it

People want to call Grouper web service, they have their own web app.
JWT will send authentication header to Grouper web service.
Grouper must confirm it’s a valid JWT, using the public key
User must match a subject Grouper is aware of
Subject known to Grouper

Public authority registers their public key with Grouper
They upload it
They sent the JWT into 3rd party ( such as a gateway)
Allows logging into Grouper

Grouper validates it is signed properly
This is RSA, Public / Private Key
Register a public key with Grouper,
Whoever has the other side of the private key can sign JWTs and that will be trusted

Grouper checks the expiration date at 2 levels

Expire date
Issued at time

Duke has OAUTH system that creates JWTs
Are there other JWT claims that could be validated here?
Could add validation on any claim
Suggestion to Improve documentation to say what -1

means “never expire”, or be limited only by JWT expiration

Zerio means do not re-use
Will Grouper cache the JWTs?
Never be reused?
It does cache some things but it will look to see if expired
If JWT system has expiration date for 3 years
Set to zero meaning don’t reuse any JWTs
What happens if I send a second time
Chris and Vivek - look at JWT expiration date issue around caching
JIRA 3617 https://todos.internet2.edu/projects/GRP/issues/GRP-3617?filter=allissues

Vivek will set up unit tests for the JWT work
Can use with normal web service authentication
If it finds a JWT then it will handle that
For Subject source ID , have a list of valid subject sources
Like provisioner, UI with check boxes
Want a multi select
Subject ID type should be required
Is public key as submitted encrypted in database?
No
Value type is password
Decision: No need to protect a public side of a public/private key
Should public key registration be separate from config for the JWT so can reuse the same certif authority in multiple configuration sets?
Chad: Just use multiple copies, don’t want another table with keys, too complex
Chris: We have concept of external system
Leave as is for now, Chad agrees
Implemented in config and web service in Grouper 2.6
For 2.61 in the UI to configure
Will Grouper issue private keys for subjects? (other use case)

There are users at tOSU who have asked for this
Prioritize PKI authentication for web service
Service account built into Grouper
There will be a concept of expiration

For adding a new key, minimum is 1

Chris: OIDC Authentication to Grouper Web Service

Working on OIDC authentication to Grouper Web Service
See wiki
Similar to JWTs
In v2.6.0+ we will add OIDC authn to WS.

Extracts the code from the authorization
Will call token endpoint with POST and user/pass basic authn to retrieve the access token based on the code
Will call the userinfo endpoint to get the user attributes from the access token (no authn)
Resolve the subject from the configured userinfo claim

Config only is available now, will make UI screens
OIDC is usable for user interactions
Matt: Shibboleth could send OIDC message to Grouper instead of a SAML message
Grouper could decode OIDC code
Could do a redirect
Support on web services side and also UI side
Could use that on the front end as well , if application is not protected w Shib

If deploying to AWS, perhaps use OIDC instead of SAML
Redirect back to Grouper UI or login URI
Grouper is doing some authentication
External IDP concept
Grouper could issue the OIDC credentials somehow
Grouper not handling OIDC code but handling remote user
API method to handle OIDC code...
There is a Unicon authentication project related to this
PAC4J https://github.com/pac4j/pac4j
SAML authentication as an add-on to Grouper
Don’t need Shib SP
Could modify it to do OIDC as well as SAML
Then don’t need so much logic inside Grouper
Put it in the authentication library
Shilen:
Good to see direct OIDC integration
But PAC4J could handle this perhaps
Chris PAC4J may have container configuration
With this Grouper has our own UI and config, everything is consistent
We are not supporting a zillion SAML flows
Shilen, if can configure UI to handle OIDC then this is ideal
Matt: from user perspective, agree
But this could be more complex than we hope
Chris: example at Penn, with Shib OIDC implementation, takes token endpoint, does a post w username and password and gets the result. Then you use that to get info.
UI is assuming you are doing remote user
Something else in front won’t let something pass in for Grouper to handle
Web Service uses customized authentication implementation interface, can intercept
Can’t flip the order
Chris: value of external authentication: no network gets to Grouper without passing thru Shib SP
Shilen: What is passed in basic auth request?
Chris: For JWT: token authorization header, don’t want to cycle thru everything, config ID, JWT,
Grouper looks up public keys
For OIDC: similar except registration has one URL or multiple
If only one, configure this for OIDC configuration
Then caller does not need to worry about redirect
Can have multiple return to URL
Then when you send code and get token you need the URL
The call tells Grouper which URL they went back to
Can you pass in an OIDC access token?
Chris asked JJ that..
Can do it
Access token can be swapped for user info
Not a good place to start
What was original use case for this work with the OIDC code?
JJ has a project for a client
Not sure if access tokens or code
We implemented code
There could be use case for access tokens for web service authentication
In Config, allow access tokens True/False
Instead of user info endpoint,
OIDC has introspection endpoint
Not sure what the Shib IDP does
Some implementations prefer introspection endpoint over user info
Depending on how access tokens are generated and who owns it
It might be a different OIDC client that owns it
AI Chris will look at the introspection endpoint for OIDC Connect
Note: User would have to know config ID while generating header for client side

Chris has also been working on JIRAs

Shilen:

Fixed some tests
Will slack with Chris about provisioning work
Done with load testing,

Plan for provisioning

Over next 3-6 months we need to find production provisioners and migrate them
There may be about 12: Azure, LDAP Duo, Box, etc

Chad:

Working on upcoming Grouper training September 28 – October 1
created JIRAs
https://todos.internet2.edu/browse/GRP-3608
Audit table is so large, ability to use more actions menu would be helpful
There is only a time filter, can’t filter on action types

Replace members

GRP-3597
Group.replaceMembers tries to delete effective memberships, throws error

Export issue

There was discussion on slack around XML export
Should we deprecate that older approach?
Chad there is value if you want copy of database

Jira Management

Is there a standard process before releasing 2.6, do we do something with 2.5 JIRAs?
Review and say we are not going fix?
There may be 10 year old JIRAS that should be killed?
Engage the community and ask people to vote?

Issue Roundup

Jiras in past two weeks

Grouper User list Emails in past two weeks

none

Grouper wiki updates in past two weeks

Next Grouper Call: Wed Sept. 29, 2021

Page tree

15-Sept-2021

Grouper Working Group Notes of September 15, 2021

Discussion

Issue Roundup