Child pages
  • Oregon State University Grouper Project Page
Skip to end of metadata
Go to start of metadata

Oregon State University deployed Grouper v2.2.1 to production in Spring 2015 and upgraded to v2.3.0 in Winter 2017.

See slides from the IAM Online of June 2015, pages 3-9


  • Loader & PSP

    • Reference groups populated from multiple source databases

    • Groups provisioned to LDAP/AD for SP authz

    • Examples: pac-12 and xfinity streaming, student athlete printing, office365

  • ChangeLogConsumer

    • Provision, activate, de-activate external service accounts when user’s status changes at the university.  (See External Service Accounts below.)

    • Group and membership provisioning to external services (See Service Groups below.)

  • Hook
    • GroupName validation for configured stem (See Service Groups below.)

  • Web Services

    • Integrated into several processes (change username, update display name, update email alias) so that external accounts are consistent with the data source.

    • Integrated into user account deletion process to delete all immediate memberships to make sure all ad-hoc memberships are also cleaned up. 

    • Used by other IT units to populate groups, create lists from groups, etc.

Possible Future Plans

  • Deprovisioning (aging out services and sending out notifications)
  • Release permission groups to AWS management console via SAML entitlements (Shibboleth)

  • Course groups to Canvas, AD/LDAP, Google (Loader/Messaging)

  • Google Apps Grouper Provisioner

  • Rules (notify certGroup admin when user is removed from employee’s group)


External Service Accounts

Service Groups

(Planned deployment Spring/Summer 2017)

Service Groups is a stem in Grouper that houses groups and memberships intended for external services such as Box.  It's further sub-divided by IT service organization where the Grouper group management is delegated.

  • Components
    • UI - Slightly modified Unicon's provisioning target UI to add support for group provisioning with additional attributes.
    • Hook
      • GroupNameValidationHook
      • Configurable:
        • uniqueness
        • case sensitivity
        • reserved names
        • name and displayExtension length
        • parentStem where validation should be done. (Can configure multiple stems with their own set of config.)
    • Consumer
      • Provision/deprovision groups and their memberships to/from external services, eligibility-check can also be included.
      • Update attributes on external service groups, if configured.
  • Supports
    • Box
      • Group name uniqueness is ensured by the hook
      • Group name, description, invitability, visibility and membership are all managed through Grouper.
      • Box group ID is saved as an attribute on Grouper group.
      • Grouper group uuid is saved in Box group.
    • Support for other external services can be added by updating config files, attributes, and the consumer.