Include Page | ||||
---|---|---|---|---|
|
Overview
Warning | ||
---|---|---|
| ||
If you are working with Grouper 2.1 or above, see the newer documentation on Grouper and Shib Integration |
As of v1.5.0, the Grouper API distribution, grouper.jar, provides a Data Connector Extension and Attribute Definition Extensions to the Shibboleth Attribute Resolver.
...
These were chosen as part of the design for a completely new (and as yet incomplete) way to provision Grouper information into LDAP directories, and perhaps other target repository typesthe Grouper PSP. However, they also offer a new means of including Grouper information in Shibboleth-based SAML attribute assertions.Sites interesting in integrating these new capabilities into their Shibboleth IdP are advised to conduct extensive testing prior to implementing in a production environment-based SAML attribute assertions.
Sites interesting in integrating these new capabilities into their Shibboleth IdP are advised to conduct extensive testing prior to implementing in a production environment.
Installation into your Shibboleth Identity Provider
Warning | ||
---|---|---|
| ||
This is NOT the recommended way to integrate with your Shibboleth Identity Provider |
To install the Grouper DataConnector into you need to copy all of the grouper jars into the /lib directory of your shibboleth installation. Then run install.sh. Next, you'll need to have your grouper configuration files including grouper.properties and subject.xml placed into /opt/shibboleth-idp/conf. You should then be able to edit your attribute-resolver.xml as above and it should be able to get the necessary attributes.
Grouper Data Connectors
Group Data Connector
...
Attributes representing Subjects which have Access Privileges to a group may be defined by privilege name as defined in the Grouper Glossary.
Code Block | ||||
---|---|---|---|---|
| ||||
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
<grouper:Attribute id="admins" />
<grouper:Attribute id="optins" />
<grouper:Attribute id="optouts" />
<grouper:Attribute id="readers" />
<grouper:Attribute id="updaters" />
<grouper:Attribute id="viewers" />
</resolver:DataConnector>
|
The following example will return an attribute named "admin" whose values are the "name" of every Subject which has the ADMIN privilege on a group :
...
Attributes representing Groups to which a Member's subject has Access Privileges may be defined by privilege name as defined in the Grouper Glossary.
Code Block | ||||
---|---|---|---|---|
| ||||
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector">
<grouper:Attribute id="admins" />
<grouper:Attribute id="optins" />
<grouper:Attribute id="optouts" />
<grouper:Attribute id="readers" />
<grouper:Attribute id="updaters" />
<grouper:Attribute id="viewers" />
</resolver:DataConnector>
|
The following example will return an attribute named "admin" whose values are the "name" of every Group to which the Member's subject has the ADMIN privilege :
...
Code Block | ||||
---|---|---|---|---|
| ||||
<resolver:AttributeDefinition id="isMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups" >
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="name" />
</resolver:AttributeDefinition>
|
Member Attribute Definition
...
Code Block | ||||
---|---|---|---|---|
| ||||
<resolver:AttributeDefinition id="owner" xsi:type="grouper:Subject" sourceAttributeID="members" > <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="name" source="jdbc" /> </resolver:AttributeDefinition> |