...
There are many ways to expose Grouper groups to Shibboleth including Exposing Groups Through Shibboleth and the Group Data Connector, but this article details how we specifically do it at the University of Wisconsin-Madison. Our setup involves group membership and group attributes mirrored to read-only copies on a redundant database cluster. These views are also transformed to map our unique publicly visible identifier up to Grouper groups (separate from the ID we use for Grouper subject source), but you can easily do this method with whatever identifier you are using for your subject source straight out of the box and tied directly to your Grouper Database as long as that identifier is also being fed to Shibboleth. I will give examples of both a generic implementation, and the UW-Madison specific implementation below.
...
<DataConnector id="grouperDB" xsi:type="RelationalDatabase" readOnlyConnection="false" queryTimeout="PT3S">
<Dependency ref="uid"/>
<BeanManagedConnection>MyDataSource</BeanManagedConnection>
<QueryTemplate><![CDATA[
#if (${uid.size()} > 0)
SELECT DISTINCT grouper_memberships_lw_v.group_name
FROM grouper.grouper_aval_asn_group_v
JOIN grouper.grouper_memberships_lw_v
USING (group_id)
WHERE subject_id='$uid.get(0)'
AND grouper_aval_asn_group_v.attribute_def_name_name='etc:attribute:ShibEntityId:ShibEntityId'
AND (value_string = '$requestContext.getPeerEntityId()' OR value_string='DEFAULT')
AND grouper_aval_asn_group_v.enabled='T'
ORDER BY group_name ASC;
#else
SELECT 1
#end
]]></QueryTemplate>
</DataConnector>
...