This is outdated, the provisioning framework Duo roles should be used
This is a contrib from Ohio State in patch 2.4.0 api #73. GRP-2313
The goal of the additional work was to manage Duo Administrative Roles within an account. (REF: https://duo.com/docs/admin-roles )
By default the code should work the same as it did from the commit https://github.com/Internet2/grouper/commit/184c7fc114d68363a2d6cc61700fa5348cfe04ef ( v2.3 code base )..
These additions do not alter the core of the existing design/features. Configure and turn on the new stuff if you want to use it.
It uses a single AttrDef with three AttrNames to fulfill these attributes (not required, but we did it this way) :
AttrDef should be assignable to 'Group/Role/Local Entity" and Member. ( Type= "String" ), Single assign, Single valued. grouperDuo.attributeForAdminId = etc:attribute:....:adminId grouperDuo.attributeForAdminRole = etc:attribute:...:adminRole grouperDuo.attributeForAdminNameSuffix = etc:attribute:...:adminUserNameSuffix
Configure
Changes to grouper-loader.properties :
# If true, grouper will manage Duo administrators. Disabled by default. # Your Duo application keys will require permissions to manage administrators. grouperDuo.adminSyncEnabled = false # A comma separated set of Duo roles to be managed. By default it includes all roles. grouperDuo.manageableAdminRoles = Owner,Administrator,Application Manager,User Manager,Help Desk,Billing,Phishing Manager,Read-only # The default password to assign to created administrator accounts. Must meet Duo's administrator password policies. grouperDuo.defaultAdminPassword = # If true, administrator accounts that are not managed by Grouper will be disabled. grouperDuo.disableUnknownAdmins = false # If true, disabled administrator accounts that are not managed by Grouper will be deleted. # Only disabled administrator accounts will be deleted, so grouperDuo.disableUnknownAdmins should # be set to true. grouperDuo.deleteUnknownAdmins = false # If grouperDuo.deleteUnkownAdmins is true, it will wait this many seconds since the user's last login # before deleting the account. This is helpful when a user is switching roles, they do not have to # register their device again. grouperDuo.deleteUnknownAdminsAfterSeconds = 2592000 # Comma separated list of email addresses to ignore when managing Administrators. grouerDuo.ignoreAdminEmails =