...
| Info |
|---|
If you are interested in using Shibboleth as your Grouper log-in mechanism, then see this page on this Authentication to the Grouper UI |
Overview
View Shib IdP and Grouper Data Connection in the Grouper architectural diagram.
...
| Code Block |
|---|
|
<dependency>
<groupId>edu.internet2.middleware.grouper</groupId>
<artifactId>grouper-shib</artifactId>
<version>2.1.0</version>
</dependency>
|
Group Data Connector
The GroupDataConnector returns attributes which represent the Grouper Group whose name is the principal name of an attribute request.
GroupDataConnector - Attributes
The attributes returned for a group include built-in attributes such as id, name, displayName, extension, displayExtension, and description, as well as custom attributes and attribute framework attributes.
...
| Code Block |
|---|
|
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector" />
<resolver:AttributeDefinition id="description" xsi:type="ad:Simple">
<resolver:Dependency ref="GroupDataConnector" />
</resolver:AttributeDefinition>
|
GroupDataConnector - Lists (Memberships)
By default, no lists (memberships) are returned by the GroupDataConnector because they may be expensive to query. Lists which should be returned as attributes may be defined using the following naming convention :
| Code Block |
|---|
|
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
<grouper:Attribute id="<members|group>[:<all|immediate|effective|composite>[:<list name>]]" />
</resolver:DataConnector>
|
GroupDataConnector - Default List (Members)
The following example will return an attribute named "member" whose values are the "name" of every member from the "jdbc" subject source of the default "members" list of a group :
| Code Block |
|---|
|
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
<grouper:Attribute id="members" />
</resolver:DataConnector>
<resolver:AttributeDefinition id="member" xsi:type="grouper:Member" sourceAttributeID="members" >
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="name" source="jdbc" />
</resolver:AttributeDefinition>
|
GroupDataConnector - List (Membership) Scope
The following example will return an attribute named "immediateMembers" whose values are the "name" of every immediate member from the "jdbc" source of the default "members" list of a group :
| Code Block |
|---|
|
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
<grouper:Attribute id="members:immediate" />
</resolver:DataConnector>
<resolver:AttributeDefinition id="immediateMembers" xsi:type="grouper:Member" sourceAttributeID="members:immediate" >
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="name" source="jdbc" />
</resolver:AttributeDefinition>
|
GroupDataConnector - Custom List (Membership)
The following example will return an attribute named "customMembers" whose values are the "name" of every member from the "jdbc" source of the "customList" list of a group :
| Code Block |
|---|
|
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
<grouper:Attribute id="members:all:customList" />
</resolver:DataConnector>
<resolver:AttributeDefinition id="customMembers" xsi:type="grouper:Member" sourceAttributeID="members:all:customList" >
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="name" source="jdbc" />
</resolver:AttributeDefinition>
|
GroupDataConnector - Member Of List
The following example will return an attribute named "isMemberOf" whose values are the "name" of every group of which the group is a member of :
| Code Block |
|---|
|
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
<grouper:Attribute id="groups" />
</resolver:DataConnector>
<resolver:AttributeDefinition id="isMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups" >
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="name" />
</resolver:AttributeDefinition>
|
GroupDataConnector - Privileges
Attributes representing Subjects which have Access Privileges to a group may be defined by privilege name as defined in the Grouper Glossary.
...
| Code Block |
|---|
|
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
<grouper:Attribute id="admins" />
</resolver:DataConnector>
<resolver:AttributeDefinition id="admin" xsi:type="grouper:Subject" sourceAttributeID="admins" >
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="name" source="jdbc" />
</resolver:AttributeDefinition>
|
Member Data Connector
The MemberDataConnector returns attributes which represent a Grouper Member whose subject id or identifier is the principal name of an attribute request. Returned attributes, lists, and privileges must be specified to maximize retrieval performance.
| Code Block |
|---|
|
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector">
<grouper:Attribute id="name" />
<grouper:Attribute id="description" />
<grouper:Attribute id="groups" />
<grouper:Attribute id="admins" />
</resolver:DataConnector>
|
Member Data Connector - Attributes
The following example will return an attribute named "name" whose value is the name of a Member :
| Code Block |
|---|
|
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector" >
<grouper:Attribute id="name" />
</resolver:DataConnector>
<resolver:AttributeDefinition id="name" xsi:type="ad:Simple">
<resolver:Dependency ref="MemberDataConnector" />
</resolver:AttributeDefinition>
|
Member Data Connector - Lists
The following example will return an attribute named "isMemberOf" whose values are the "name" of every Group to which the Member is a member of the default "members" list :
| Code Block |
|---|
|
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector">
<grouper:Attribute id="groups" />
</resolver:DataConnector>
<resolver:AttributeDefinition id="isMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups" >
<resolver:Dependency ref="MemberDataConnector" />
<grouper:Attribute id="name" />
</resolver:AttributeDefinition>
|
Member Data Connector - Privileges
Attributes representing Groups to which a Member's subject has Access Privileges may be defined by privilege name as defined in the Grouper Glossary.
...
| Code Block |
|---|
|
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector">
<grouper:Attribute id="admins" />
</resolver:DataConnector>
<resolver:AttributeDefinition id="admin" xsi:type="grouper:Group" sourceAttributeID="admins" >
<resolver:Dependency ref="MemberDataConnector" />
<grouper:Attribute id="name" />
</resolver:AttributeDefinition>
|
Stem Data Connector
The StemDataConnector returns attributes which represent the Grouper stem whose name is the principal name of an attribute request.The attributes returned for a stem include built-in attributes such as id, name, displayName, extension, displayExtension, and description, as well as custom attributes and attribute framework attributes.
| Code Block |
|---|
|
<resolver:DataConnector id="StemDataConnector" xsi:type="grouper:StemDataConnector" />
|
Change Log Data Connector
The ChangeLogDataConnector returns attributes representing the Grouper change log entry whose sequence number is the principal name of an attribute request.
...
Source code for the change log data connector and filters are available from the psp-grouper-changelog project.
Filters
Objects returned by the data connectors may be filtered.
Filter - GroupExactAttribute
The GroupExactAttribute returns groups which have an exact attribute value :
| Code Block |
|---|
|
<resolver:DataConnector id="testFilterExactAttribute" xsi:type="grouper:GroupDataConnector">
<grouper:Filter xsi:type="grouper:GroupExactAttribute" name="name" value="stem:group" />
</resolver:DataConnector>
|
Filter - GroupInStem
The GroupInStem returns groups which are children of the named stem with the given scope :
| Code Block |
|---|
|
<resolver:DataConnector id="StemNameFilterONE" xsi:type="grouper:GroupDataConnector">
<grouper:Filter xsi:type="grouper:GroupInStem" name="parentStem" scope="ONE" />
</resolver:DataConnector>
<resolver:DataConnector id="StemNameFilterSUB" xsi:type="grouper:GroupDataConnector">
<grouper:Filter xsi:type="grouper:GroupInStem" name="parentStem" scope="SUB" />
</resolver:DataConnector>
|
Filter - AND
The AND filter returns objects which match both child filters, in other words, an Intersection :
| Code Block |
|---|
|
<grouper:Filter xsi:type="grouper:AND">
<grouper:Filter xsi:type="grouper:ExactAttribute" name="name" value="parentStem:group_name" />
<grouper:Filter xsi:type="grouper:StemName" name="parentStem" scope="ONE" />
</grouper:Filter>
|
Filter - OR
The OR filter returns objects which match either of two child filters, in other words, a Union :
| Code Block |
|---|
|
<grouper:Filter xsi:type="grouper:OR">
<grouper:Filter xsi:type="grouper:ExactAttribute" name="name" value="parentStem:group_name" />
<grouper:Filter xsi:type="grouper:StemName" name="parentStem:childStem" scope="ONE" />
</grouper:Filter>
|
Filter - MINUS
The MINUS filter returns objects which match the result of the first child filter minus the result of the second child filter, in other words, the Complement :
| Code Block |
|---|
|
<grouper:GroupFilter xsi:type="grouper:Minus">
<grouper:GroupFilter xsi:type="grouper:StemName" name="parentStem" scope="ONE" />
<grouper:GroupFilter xsi:type="grouper:ExactAttribute" name="name" value="parentStem:group_name" />
</grouper:GroupFilter>
|
Filter - StemInStem
The StemInStem filter returns stems which are children of the named stem with the given scope :
| Code Block |
|---|
|
<resolver:DataConnector id="StemNameFilterONE" xsi:type="grouper:GroupDataConnector">
<grouper:Filter xsi:type="grouper:StemInStem" name="parentStem" scope="ONE" />
</resolver:DataConnector>
<resolver:DataConnector id="StemNameFilterSUB" xsi:type="grouper:GroupDataConnector">
<grouper:Filter xsi:type="grouper:StemInStem" name="parentStem" scope="SUB" />
</resolver:DataConnector>
|
Filter - StemNameExact
The StemNameExact filter returns stems with the given name :
| Code Block |
|---|
|
<resolver:DataConnector id="testFilterStemNameExact" xsi:type="grouper:StemDataConnector">
<grouper:Filter xsi:type="grouper:StemNameExact" name="parentStem" />
</resolver:DataConnector>
|
Filter - ChangeLogAudit
The ChangeLogAudit filter returns change log entries with the given audit category and or action.
| Code Block |
|---|
|
<grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogAudit" category="group" action="deleteGroup" />
|
Filter - ChangeLogEntry
The ChangeLogEntry filter returns change log entries with the given change log category and or action.
| Code Block |
|---|
|
<grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="membership" action="deleteMembership" />
|
Filter - ChangeLogExactAttribute
The ChangeLogExactAttribute filter returns change log entries with the given attribute name and value.
| Code Block |
|---|
|
<grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogExactAttribute" name="propertyChanged" value="description" />
|
Filter - ChangeLogAttributeAssignType
The ChangeLogAttributeAssignType filter returns change log entries with the given attribute value assign type.
| Code Block |
|---|
|
<grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogAttributeAssignType" attributeAssignType="group" />
|
Group Attribute Definition
The GroupAttributeDefinition returns Group attributes.
...
| Code Block |
|---|
|
<resolver:AttributeDefinition id="isMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups" >
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="name" />
</resolver:AttributeDefinition>
|
Member Attribute Definition
The MemberAttributeDefinition returns Member attributes.
...
| Code Block |
|---|
|
<resolver:AttributeDefinition id="member" xsi:type="grouper:Member" sourceAttributeID="members" >
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="name" source="jdbc" />
</resolver:AttributeDefinition>
|
Subject Attribute Definition
The SubjectAttributeDefinition returns Subject attributes.
...
| Code Block |
|---|
|
<resolver:AttributeDefinition id="owner" xsi:type="grouper:Subject" sourceAttributeID="members" >
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="name" source="jdbc" />
</resolver:AttributeDefinition>
|
See Also
Exposing Groups Through Shibboleth
...