SURFnet looking for Grouper -> SCIM implementation.


  • Grouper to emit scim (speaks to endpoint which intermediates to commercial provider)
  • attribute / group release configurable by endpoint (preferably
  • preferably in a shibboleth compatible way
  • standard way to provision groups out
  • need to support OAuth

Ultimately they are doing grouper -> apache syncope

Would like us to provide a rich SCIM impl & let implementers handle specific issues arising from it. SCIM Impl should handle both PUSH and PULL.

SCIM ops coming out of Grouper:

  • add group
  • remove group
  • add member
  • remove member
  • add / remove membership role (admin/user)

want configurable incremental as well as bulk sync.

if SCIM endpoint is not available then do a periodic retry. AuthN will be by BASIC Auth, IP-based Auth, though nobody would complain if we supported OAuth.

Would like to configure provisioning such that not all groups go to all SPs. Rather, they would say this group X goes to SP Y and the SCIM provisioner would be smart enough to handle that and know not to put group X in SPs (A,B,C).

They only want 1 stem pushed out via SCIM (other sems ignored).

Currently using Grouper version 1.6.3 – SURFnet does NOT need this to work with 1.6.x branch and can live with it working only with current.

normal group name coming out of grouper-SCIM

  • though would be good to have an ability to send a custom name re-mapping managed somehow.
  • No labels