Oregon State University deployed Grouper v2.2.1 to production in Spring 2015 and upgraded to v2.3.0 in Winter 2017.

See slides from the IAM Online of June 2015, pages 3-9


  • Loader & PSP

    • Reference groups populated from multiple source databases

    • Groups provisioned to LDAP/AD for SP authz

    • Examples: pac-12 and xfinity streaming, student athlete printing, office365

  • ChangeLogConsumer

    • Provision, activate, de-activate external service accounts when user’s status changes at the university.  (See External Service Accounts below.)

    • Group and membership provisioning to external services (See Service Groups below.)

  • Hook
    • GroupName validation for configured stem (See Service Groups below.)

  • Web Services

    • Integrated into several processes (change username, update display name, update email alias) so that external accounts are consistent with the data source.

    • Integrated into user account deletion process to delete all immediate memberships to make sure all ad-hoc memberships are also cleaned up. 

    • Used by other IT units to populate groups, create lists from groups, etc.

Possible Future Plans

  • Deprovisioning (aging out services and sending out notifications)
  • Release permission groups to AWS management console via SAML entitlements (Shibboleth)

  • Course groups to Canvas, AD/LDAP, Google (Loader/Messaging)

  • Google Apps Grouper Provisioner

  • Rules (notify certGroup admin when user is removed from employee’s group)


External Service Accounts

Service Groups

(Planned deployment Spring/Summer 2017)

Service Groups is a stem in Grouper that houses groups and memberships intended for external services such as Box.  It's further sub-divided by IT service organization where the Grouper group management is delegated.

  • Components
    • UI - Slightly modified Unicon's provisioning target UI to add support for group provisioning with additional attributes.
    • Hook
      • GroupNameValidationHook
      • Configurable:
        • uniqueness
        • case sensitivity
        • reserved names
        • name and displayExtension length
        • parentStem where validation should be done. (Can configure multiple stems with their own set of config.)
    • Consumer
      • Provision/deprovision groups and their memberships to/from external services, eligibility-check can also be included.
      • Update attributes on external service groups, if configured.
  • Supports
    • Box
      • Group name uniqueness is ensured by the hook
      • Group name, description, invitability, visibility and membership are all managed through Grouper.
      • Box group ID is saved as an attribute on Grouper group.
      • Grouper group uuid is saved in Box group.
    • Support for other external services can be added by updating config files, attributes, and the consumer.