Child pages
  • Grouper 28-April-2015 BOF at Global Summit
Skip to end of metadata
Go to start of metadata

Notes from Grouper BOF at 2015 Global Summit, 4/30/2015


Tom Barton, University of Chicago, and Grouper Working Group Chair, welcomed the group

Topics of interest from the BOF attendees:

  • Getting Started

  • Federated Groups

  • Provisioning  / Messaging

  • LDAP synchronization

  • Integrating Grouper w Duo Admin Console

  • evolution away from Tomcat 6 / Java 6 dependency


Getting Started with Grouper

  • U of Arkansas is are looking at increasing focus on IdM.  

  • Access control is a big part; looking at Grouper, want to establish centralized roles

  • University of Maryland Baltimore County is looking at Grouper

  • currently they have many individual systems w access rights

  • Using centralized groups could add efficiency

  • Looking at TIER and want to be set with Grouper as a lead in to TIER


  • Warren from U. Florida: it would be great if Grouper had some templates correlated with common use cases

  • Allow a campus to easily implement a small use case to get successful

  • how to do the 5-6 things

  • How to get stuff in and get stuff out of Grouper

  • Too much reinventing has to happen now


  • CMU would like to see

    • a UI to help in Grouper configuration

    • A UI for adding a subject source or turning a feature on and off


  • Notre Dame is looking at migrating to Grouper from an existing group management system

  • Need advice on how to migrate



Federated Groups

  • How can federated groups be useful?

  • Could the community suggest a common naming scheme that's useful to all institutions?

  • What are the use cases?

  • Example: Researchers at multiple universities need a group for a Virtual Organization (VO)

    • someone at each institution manages a group with a predefined name

    • using this group name will help ease the access process to the VO


ScottK from LIGO:

  • LIGO not a good example for this approach, since LIGO controls our own groups

  • Use case could be between LIGO and other astronomy groups; union of LIGO scientists

  • this should be an international conversation


  • Albert: UCLA is provisioning PSP

  • does full transformation the way Shib attribute release does

  • Can slice and dice suitable for the target

  • UCLA will contribute this to the Grouper wiki to benefit the community

  • UCLA has a parallel use case with Net+ cloud services


  • TomB: a group membership can have an access control outcome embodied by a token, instead of being in group

  • I can log in with a token

  • managing groups in a federated context has challenges

  • what does federated groups really address?



  • other use case is you have the role

  • according to the context, such as Amazon web service

  • you have admin role for this security group

  • that's more of a direct assertion of yes you have access

  • Technically the same thing

  • separating out helps in terms of naming


  • Need for locally managed groups consisting of remote principles

  • this use case can be handled in Grouper via External Subjects


  • Tom: Attribute release can be an issue

  • sometimes you can't get to service because institution will not release EPPN

  • Don't want to overload the attribute release issue with need to release what groups someone belongs to; Look for other ways to deal with it

  • suggestion: have an attribute called “status”


Post PSP Provisioning

  • See description on the Grouper wiki

  • Grouper tried the PSP provisioning approach using SPML, but found it had limitations

  • PSP will stay, but the Grouper project won't enhance it, limited maintenance

  • The Grouper provisioning approach moving forward will be message based

  • We will support incremental provisioning by reading events off the message queue

  • Grouper will support bulk reconciliation
  • hope sites can continue using their own messaging

  • Need to be able to provision to LDAP and AD out of the box

  • There will be a limited internal message internal substrate within Grouper to get provisioning messages to LDAP and AD


Q: Will there be listeners?

A: yes


  • UCLA is interested in bidirectional sync

  • Doing Shib integration with a medical center.

  • for connecting w independent orgs, like the med center, auditing on Groups is helpful.

Mark your calendar:

June 10, 2015 at 2pm ET

IAM Online to focus on Grouper deployment stories



  • No labels