This demo is updated from time to time. If you encounter unexpected behavior, please let us know e.g. on #incommon-midpoint Internet2 Slack channel.

This is a demonstration of using midPoint in more realistic deployment, having various source and target systems along with other identity management components like LDAP, Grouper, and Shibboleth IdP.

Starting the containers

$ cd demo/grouper
$ docker compose up

This will take a while.

Finally, you will see the notice about midPoint successful start.

midpoint_server | 2024-05-24 07:23:53,374 [] [main] INFO (com.evolveum.midpoint.web.boot.MidPointSpringApplication): Started MidPointSpringApplication in 22.246 seconds (process running for 23.944)

But it will be followed by lots of messages informing about data initialization in Grouper, synchronization to midPoint and provisioning to LDAP server. You don't have to wait until everything is finalized and you might start exploring the demo sooner, just keep in mind the synchronization and provisioning are running in background.

Containers

ContainerContentDescription
sourcesMariaDB server

This serves as an example of source systems. MariaDB here hosts SIS_PERSONSSIS_AFFILIATIONS and SIS_COURSES tables that contain data about approximately 100 persons, their departmental membership, affiliations and course enrollment. The data are the same as present in TIER Grouper sample, only the form is different (here SQL, in Grouper sample LDAP+SQL).

midpoint_servermidPoint softwareThis is the standard container providing midPoint functionality.
midpoint_dataPostreSQL serverThis container provides the repository for midPoint. It is separate, so it can be replaced as needed: either with a container hosting any other supported database, or with a non-dockerized repository (on-premises or in cloud).
grouper_uiGrouper softwareHere the Grouper UI executes.
grouper_wsGrouper softwareHere the Grouper WS (Web Services) executes.
grouper_daemonGrouper softwareHere the Grouper loader jobs execute.
grouper_dataMariaDB serverThis is the repository for Grouper. In a similar way as for midPoint, it is separate so that it can be replaced as needed.
grouper_data_initinitInitialize data in grouper. Create loader groups and setup midPoint provisioner. This container can be replaced by static configuration, if needed.
directory389ds serverThis is the central LDAP directory. It is used by Grouper as a primary source of subjects and "imported" group membership (from source systems and optionally from midPoint). It is also used by Shibboleth IdP as source of authentication information.
mqRabbitMQRabbitMQ server. It's part of the Grouper deployment and not relevant for this demo.
idpShibboleth IdPHere Shibboleth IdP executes, providing authentication service for Grouper and (in the future) also for midPoint.
idp_vol_initinitPreparing configuration files like metadata for Shibboleth IdP. This container can be replaced by static configuration, if needed.
proxyNGINXHTTP proxy for accessing midPoint, Grouper and Shibboleth IdP.
beaconTAP BeaconInCommon TAP Beacon.
data_initinitThis container is responsible for initialization of midpoint_data container.
prereqinitConfiguration files initialization for other containers. It generates certificates, keystores and database password. This container can be replaced by static configuration, if needed.

Composition of these Docker containers is described in docker-compose.yml file.

Checking the midPoint state

Now you can check if midPoint is up and running by logging into it. Please use URL of https://localhost/, with user banderson, and password password.

After successful login:


Checking groups in Grouper

The loaders that were created run each minute. So after a while, when logging into Grouper (URL https://localhost/grouper, user banderson, password password)  you can see them. Note that the first time you'd have to accept invalid certificate and fill-in data for Shibboleth IdP. After successful login you'd choose Miscellaneous and Loader jobs you'd see this:

And, after selecting ref:affiliation:alum  group you can see its members:

MidPoint - Grouper integration

MidPoint's Grouper connector is used for the integration. Grouper is provisioning data about subjects and groups to the PostreSQL database.Then midPoint is reading them out of it and mapping them to Users and Organizational units. The synchronization is using a Reconciliation task which makes sure that all relevant data are aligned between Grouper and midPoint and a Live Synchronization Task responsible for processing individual changes as soon as they appear. Both of the tasks are available in midPoint tasks.

Conclusion

This sample environment shows a proposal how to use midPoint along with Grouper for managing identities at a university. It is not a complete solution. Due to time limitations, some of the components are more sketches than production-ready implementations. For example, scripted SQL connectors do not support filtering, paging, nor live synchronization. Data model is greatly simplified. Security and performance issues were taken into account, but not yet fully validated.

Nevertheless, we consider this to be a good basis for getting acquainted with midPoint/Grouper integration as well as for future discussion on suitable architecture of midPoint/Grouper deployment in higher education.