Grouper Proof-of-Concept (within University Information Technology)

Presentation at Open Apereo 2014 Conference

Scope and Plan

University of Utah is currently (as of April 2013) doing a limited proof-of-concept of Grouper. Our plan is to do a small test of Grouper within the University Information Technology department, with the hope being that this test will help inform us of the broader applicability of Grouper. We hope to be able to show how on-boarding, off-boarding and role changes can be managed via Grouper and reflected in real-world application permissions within the IT department. 

Current Activities

After playing with the bundled grouper installer and its default configuration and data for a couple weeks it was time to start making things real. 

Our target architecture at this point:

  • Oracle for Grouper registry database
  • OpenDJ LDAP directory for subject source data
  • OpenDJ LDAP directory for some group source data
  • ActiveDirectory for some group source data
  • Active Directory as target for group provisioning

After initial experimentation with the Grouper configuration to use LDAP and AD as source/target we settled on the fact that the biggest bang for our buck would be to provision groups from Grouper to Active Directory so things like SharePoint and other AD enabled applications could be provisioned. 

In addition it became apparent that we could use both of OpenDJ LDAP and ActiveDirectory as sources for both subjects and groups. At this point it looks like we will source our subject data (people or group members) from OpenDJ via a Grouper Loader job. We will also create Grouper Loader jobs to create groups that exist in various parts of both OpenDJ and ActiveDirectory. 

Completed Activities

Installed Grouper via bundled installer using default configuration and sample data.

Tested creation of folder (stem) structure and an accompanying groups structure.

Changed default configuration to point to LDAP and Active Directory (together and separately) for subject sources.

Changed default configuration to provision groups to LDAP and Active Directory. We attempted to have groups provisioned to both targets at the same time but were unable to make this work successfully. 

Experimented with Grouper loader and PSP for provisioning groups to both LDAP and Active Directory. 

Configured Oracle database for Grouper registry. Started with a clean database and successfully imported previous stem structure from HSQLDB to Oracle (thanks to suggestion from Chris Hyzer!).

Applied some UI customizations via CSS (look and feel only). 

Configured Grouper UI to use CAS authentication (Jasig CAS).