Grouper 28-April-2015 BOF at Global Summit

Notes from Grouper BOF at 2015 Global Summit, 4/30/2015

Tom Barton, University of Chicago, and Grouper Working Group Chair, welcomed the group

Topics of interest from the BOF attendees:

• Getting Started

• Federated Groups

• Provisioning  / Messaging

• LDAP synchronization

• Integrating Grouper w Duo Admin Console

• evolution away from Tomcat 6 / Java 6 dependency

Getting Started with Grouper

• U of Arkansas is are looking at increasing focus on IdM.  

• Access control is a big part; looking at Grouper, want to establish centralized roles

• University of Maryland Baltimore County is looking at Grouper

• currently they have many individual systems w access rights

• Using centralized groups could add efficiency

• Looking at TIER and want to be set with Grouper as a lead in to TIER

• Lafayette College has a new Grouper deployment

• Started in pilot mode with VPN access control group

• used the the Adopter Sketches on the Grouper wiki to get started

• the Grouper training videos are good

• Would be helpful to have something more like a bootstrap guide or cookbook

• How to organize my tree, set up organizational hierarchy, set up permissions, etc

• Warren from U. Florida: it would be great if Grouper had some templates correlated with common use cases

• Allow a campus to easily implement a small use case to get successful

• how to do the 5-6 things

• How to get stuff in and get stuff out of Grouper

• Too much reinventing has to happen now

• CMU would like to see

  • a UI to help in Grouper configuration

  • A UI for adding a subject source or turning a feature on and off

• Notre Dame is looking at migrating to Grouper from an existing group management system

• Need advice on how to migrate

Federated Groups

• How can federated groups be useful?

• Could the community suggest a common naming scheme that's useful to all institutions?

• What are the use cases?

• Example: Researchers at multiple universities need a group for a Virtual Organization (VO)

  • someone at each institution manages a group with a predefined name

  • using this group name will help ease the access process to the VO
    

ScottK from LIGO:

• LIGO not a good example for this approach, since LIGO controls our own groups

• Use case could be between LIGO and other astronomy groups; union of LIGO scientists

• this should be an international conversation

• Albert: UCLA is provisioning PSP

• does full transformation the way Shib attribute release does

• Can slice and dice suitable for the target

• UCLA will contribute this to the Grouper wiki to benefit the community

• UCLA has a parallel use case with Net+ cloud services

• TomB: a group membership can have an access control outcome embodied by a token, instead of being in group

• I can log in with a token

• managing groups in a federated context has challenges

• what does federated groups really address?

• UCLA suggests two Grouper uses around entitlement

• according a business rule you are eligible

• It's a signal to the SP

• that is the most common use case: Google and Amazon want entitlement

• other use case is you have the role

• according to the context, such as Amazon web service

• you have admin role for this security group

• that's more of a direct assertion of yes you have access

• Technically the same thing

• separating out helps in terms of naming

• Need for locally managed groups consisting of remote principles

• this use case can be handled in Grouper via External Subjects

• Tom: Attribute release can be an issue

• sometimes you can't get to service because institution will not release EPPN

• Don't want to overload the attribute release issue with need to release what groups someone belongs to; Look for other ways to deal with it

• suggestion: have an attribute called “status”

Post PSP Provisioning

• See description on the Grouper wiki

• Grouper tried the PSP provisioning approach using SPML, but found it had limitations

• PSP will stay, but the Grouper project won't enhance it, limited maintenance

• The Grouper provisioning approach moving forward will be message based

• We will support incremental provisioning by reading events off the message queue

• Grouper will support bulk reconciliation
  

• hope sites can continue using their own messaging

• Need to be able to provision to LDAP and AD out of the box

• There will be a limited internal message internal substrate within Grouper to get provisioning messages to LDAP and AD

Q: Will there be listeners?

A: yes

• UCLA is interested in bidirectional sync

• Doing Shib integration with a medical center.

• for connecting w independent orgs, like the med center, auditing on Groups is helpful.

Mark your calendar:

June 10, 2015 at 2pm ET

IAM Online to focus on Grouper deployment stories