Deployment details
Grouper 2.1.3 was successfully deployed at University of Montreal in December 2012. Development and deployment are still active to include new features and keep up with Grouper versions.
Grouper is using Active Directory as its subject source as well as a target for groups. It was deployed in high availability on Linux virtual server using load balancers in front of the web and application layer. Greyed components are deployed in active-passive mode so they are easily started if a server fails. Custom processes were developped in Java and uses the Grouper API to "connect" Grouper to external data sources (e.g. "AcadLoader", see the Academic groups section)
Current applications
Academic groups
This custom process (labeled "AcadLoader" in the deployment) is a Java based external job that queries an external database to create, using the Grouper API, course and program groups based on academic enrollment. We decided to use a custom process because the standard loaders available in Grouper were limited in the data processing and we needed to do extensive transformations to match the requirements.
Groups are created in their own "acad" branch and are synced to Active Directory using the PSP (real-time and bulk).
Here is how the data flows :
In development
Integration with Exchange for distribution list groups
Following the academics groups deployment, we need to integrate them in Exchange to create automated distribution lists.
Future applications
Integration with Oracle Identity Manager (OIM)
OIM is currently being deployed. Instead of managing groups in OIM (which does a poor job at this), Grouper would be used to allow delegation of group creation and membership management to multiple faculties and to provision different targets. Use cases where users will use Grouper are still being designed. Reconciliation of group membership in OIM might be done, but it's still under discussion.
Integration with Linux machines
Grouper would provision groups and membership to an LDAP directory (OID - Oracle Internet Directory). Permissions and authentication should be based on this information.