Qualtics is a survey tool.  Penn has certain groups of people who have access to qualtrics.  Qualtrics is a sponsored partner (SP) in the InCommon Federation, so sending SAML assertions of eduPersonEntitlement with group names is fine.

The Grouper Qualtrics integration is also covered on pages 7-8 of these slides

This effort took 4 main parties at Penn:

a. the overseer who is managing the effort, working with the schools, and interfacing with Qualtrics

b. data admin to write the warehouse queries

c. grouper admin to setup the groups/loader

d. shib admin to configure shib

Steps to make this work:

1. Create the overall groups in one folder, for groups which are sourced from the loader, allow additional ad hoc members by separating the overall group, and the system of record group

2. Add each system of record group to each overall group

3. Our shibboleth integration is based on the kerberos principal that reads memberships from Grouper.  It will send all groups in that folder that it can read, which means only the overall groups.  Set this privilege:

4. For the loader groups, make a view against the warehouse:

5. Setup the loader attributes for system of record groups.  This will be a daily job run each morning

6. We dont have a requirement for this yet, but you could give someone UPDATE privileges on the overall group to manage the ad hocs

7. Bounce the loader process, and optionally kick off the jobs manually from GSH to get them loaded immediately

grouperSession = GrouperSession.startRootSession();
loaderGroup = GroupFinder.findByName(grouperSession, "stem:group_systemOfRecord");

8. For the non-loader overall group, add the groups where data comes from, which in this case is one group from a school which includes groups they already manage of certain employees.  This comes from their folder so they can already manage that group, not the folder where the qualtrics groups are:

9. Configure and test the shibboleth, something like this

<!-- Attribute Release Policy for Qualtrics  -->
<AttributeFilterPolicy id="afp_releaseEntitlementsToQualtrics">
        <PolicyRequirementRule xsi:type="basic:OR">

                <basic:Rule xsi:type="basic:AttributeRequesterString"
                        value="https://whatever.qualtrics.com/WRSAML/entityId1" />
                <basic:Rule xsi:type="basic:AttributeRequesterString"
                        value=" https://whatever.qualtrics.com/WRSAML/entityId2" />

       <AttributeRule attributeID="eduPersonEntitlement">
                <PermitValueRule xsi:type="basic:AttributeValueRegex"

10. Communicate the format of the entitlements to Qualtrics, so they can configure their side:



  • No labels