Notes from Grouper BOF at 2015 Global Summit, 4/30/2015
Tom Barton, University of Chicago, and Grouper Working Group Chair, welcomed the group
Topics of interest from the BOF attendees:
Getting Started
Federated Groups
Provisioning / Messaging
LDAP synchronization
Integrating Grouper w Duo Admin Console
evolution away from Tomcat 6 / Java 6 dependency
Getting Started with Grouper
U of Arkansas is are looking at increasing focus on IdM.
Access control is a big part; looking at Grouper, want to establish centralized roles
University of Maryland Baltimore County is looking at Grouper
currently they have many individual systems w access rights
Using centralized groups could add efficiency
Looking at TIER and want to be set with Grouper as a lead in to TIER
Started in pilot mode with VPN access control group
used the the Adopter Sketches on the Grouper wiki to get started
the Grouper training videos are good
Would be helpful to have something more like a bootstrap guide or cookbook
How to organize my tree, set up organizational hierarchy, set up permissions, etc
Warren from U. Florida: it would be great if Grouper had some templates correlated with common use cases
Allow a campus to easily implement a small use case to get successful
how to do the 5-6 things
How to get stuff in and get stuff out of Grouper
Too much reinventing has to happen now
CMU would like to see
a UI to help in Grouper configuration
A UI for adding a subject source or turning a feature on and off
Notre Dame is looking at migrating to Grouper from an existing group management system
Need advice on how to migrate
Federated Groups
How can federated groups be useful?
Could the community suggest a common naming scheme that's useful to all institutions?
What are the use cases?
Example: Researchers at multiple universities need a group for a Virtual Organization (VO)
someone at each institution manages a group with a predefined name
using this group name will help ease the access process to the VO
ScottK from LIGO:
LIGO not a good example for this approach, since LIGO controls our own groups
Use case could be between LIGO and other astronomy groups; union of LIGO scientists
this should be an international conversation
Albert: UCLA is provisioning PSP
does full transformation the way Shib attribute release does
Can slice and dice suitable for the target
UCLA will contribute this to the Grouper wiki to benefit the community
UCLA has a parallel use case with Net+ cloud services
TomB: a group membership can have an access control outcome embodied by a token, instead of being in group
I can log in with a token
managing groups in a federated context has challenges
what does federated groups really address?
according a business rule you are eligible
It's a signal to the SP
that is the most common use case: Google and Amazon want entitlement
other use case is you have the role
according to the context, such as Amazon web service
you have admin role for this security group
that's more of a direct assertion of yes you have access
Technically the same thing
separating out helps in terms of naming
Need for locally managed groups consisting of remote principles
this use case can be handled in Grouper via External Subjects
Tom: Attribute release can be an issue
sometimes you can't get to service because institution will not release EPPN
Don't want to overload the attribute release issue with need to release what groups someone belongs to; Look for other ways to deal with it
suggestion: have an attribute called “status”
Post PSP Provisioning
Grouper tried the PSP provisioning approach using SPML, but found it had limitations
PSP will stay, but the Grouper project won't enhance it, limited maintenance
The Grouper provisioning approach moving forward will be message based
We will support incremental provisioning by reading events off the message queue
- Grouper will support bulk reconciliation
hope sites can continue using their own messaging
Need to be able to provision to LDAP and AD out of the box
There will be a limited internal message internal substrate within Grouper to get provisioning messages to LDAP and AD
Q: Will there be listeners?
A: yes
UCLA is interested in bidirectional sync
Doing Shib integration with a medical center.
for connecting w independent orgs, like the med center, auditing on Groups is helpful.
Mark your calendar:
June 10, 2015 at 2pm ET
IAM Online to focus on Grouper deployment stories