Versions Compared

Old Version 20

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version 40

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Include Page
spaceKeyGrouper
pageTitleNavigation

Panel

As of Grouper 2.1.0, the grouper-shib project (grouper-shib.jar) provides Data Connector extensions and Attribute Definition extensions for the Shibboleth Attribute Resolver. Previously as of version 1.5, the Grouper API distribution (grouper.jar) provided this functionality. Read the Grouper Shib Integration documentation prior to Grouper 2.1 .1

Please note:  Using the Grouper-Shib connector is not the suggested way of integrating Grouper and Shib, unless you have very specific use cases.  The primary use case for the Grouper-Shib connector is to support the PSP which uses the Shibboleth Attribute Resolver to assist with pushing groups to LDAP/AD.  The more common way of integrating Grouper and Shibboleth it is to push the group information into either a LDAP server or a SQL database and then to consume the groups from there.  This eliminates the need to also install the Grouper API and supporting jars into your IdP. 


Info

If you are interested in using Shibboleth as your Grouper log-in mechanism, see this Authentication to the Grouper UI


Table of Contents

Overview

View Shib IdP and Grouper Data Connection in the Grouper architectural diagram.

...

Download from Maven Central.

Code Block
xml
xml

<dependency>
  <groupId>edu.internet2.middleware.grouper</groupId>
  <artifactId>grouper-shib</artifactId>
  <version>2.1.0</version>
</dependency>

...

The following example will return an attribute named "description" whose value is the description of a group :

Code Block
xml
xml

<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector" />

<resolver:AttributeDefinition id="description" xsi:type="ad:Simple">
    <resolver:Dependency ref="GroupDataConnector" />
</resolver:AttributeDefinition>

...

By default, no lists (memberships) are returned by the GroupDataConnector because they may be expensive to query. Lists which should be returned as attributes may be defined using the following naming convention :

Code Block
xml
xml

<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
  <grouper:Attribute id="<members|group>[:<all|immediate|effective|composite>[:<list name>]]" />
</resolver:DataConnector>

...

The following example will return an attribute named "member" whose values are the "name" of every member from the "jdbc" subject source of the default "members" list of a group :

Code Block
xml
xml

<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
  <grouper:Attribute id="members" />
</resolver:DataConnector>

<resolver:AttributeDefinition id="member" xsi:type="grouper:Member" sourceAttributeID="members" >
  <resolver:Dependency ref="GroupDataConnector" />
  <grouper:Attribute id="name" source="jdbc" />
</resolver:AttributeDefinition>

...

The following example will return an attribute named "isMemberOf" whose values are the "name" of every group of which the group is a member of :

Code Block
xml
xml

<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
  <grouper:Attribute id="groups" />
</resolver:DataConnector>

<resolver:AttributeDefinition id="isMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups" >
  <resolver:Dependency ref="GroupDataConnector" />
  <grouper:Attribute id="name" />
</resolver:AttributeDefinition>

...

The following example will return an attribute named "admin" whose values are the "name" of every Subject which has the ADMIN privilege on a group :

Code Block
xml
xml

<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
  <grouper:Attribute id="admins" />
</resolver:DataConnector>

<resolver:AttributeDefinition id="admin" xsi:type="grouper:Subject" sourceAttributeID="admins" >
  <resolver:Dependency ref="GroupDataConnector" />
  <grouper:Attribute id="name" source="jdbc" />
</resolver:AttributeDefinition>

...

The MemberDataConnector returns attributes which represent a Grouper Member whose subject id or identifier is the principal name of an attribute request. Returned attributes, lists, and privileges must be specified to maximize retrieval performance.

Code Block
xml
xml

<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector">
  <grouper:Attribute id="name" />
  <grouper:Attribute id="description" />
  <grouper:Attribute id="groups" />
  <grouper:Attribute id="admins" />
</resolver:DataConnector>

...

The following example will return an attribute named "name" whose value is the name of a Member :

Code Block
xml
xml

<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector" >
  <grouper:Attribute id="name" />
</resolver:DataConnector>

<resolver:AttributeDefinition id="name" xsi:type="ad:Simple">
    <resolver:Dependency ref="MemberDataConnector" />
</resolver:AttributeDefinition>

...

The following example will return an attribute named "isMemberOf" whose values are the "name" of every Group to which the Member is a member of the default "members" list :

Code Block
xml
xml

<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector">
  <grouper:Attribute id="groups" />
</resolver:DataConnector>

<resolver:AttributeDefinition id="isMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups" >
  <resolver:Dependency ref="MemberDataConnector" />
  <grouper:Attribute id="name" />
</resolver:AttributeDefinition>

...

The following example will return an attribute named "admin" whose values are the "name" of every Group to which the Member's subject has the ADMIN privilege :

Code Block
xml
xml

<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector">
  <grouper:Attribute id="admins" />
</resolver:DataConnector>

<resolver:AttributeDefinition id="admin" xsi:type="grouper:Group" sourceAttributeID="admins" >
  <resolver:Dependency ref="MemberDataConnector" />
  <grouper:Attribute id="name" />
</resolver:AttributeDefinition>

...

The StemDataConnector returns attributes which represent the Grouper stem whose name is the principal name of an attribute request.The attributes returned for a stem include built-in attributes such as id, name, displayName, extension, displayExtension, and description, as well as custom attributes and attribute framework attributes.

Code Block
xml
xml

<resolver:DataConnector id="StemDataConnector" xsi:type="grouper:StemDataConnector" />

...

The ChangeLogDataConnector returns attributes representing the Grouper change log entry whose sequence number is the principal name of an attribute request.

...

For example, for a membership add change log entry, the built in id, fieldName, subjectId, sourceId, membershipType, groupId, groupName, memberId, and fieldId attributes are returned. The ChangeLogDataConnector also returns an actionName attribute, in this case with value "membership", as well as a changeLogCategory attribute, in this case with value "addMembership".

Code Block
java
java

package edu.internet2.middleware.grouper.changeLog;

public enum ChangeLogTypeBuiltin implements ChangeLogTypeIdentifier {

 /**
  * add membership
  */
  MEMBERSHIP_ADD(new ChangeLogType("membership", "addMembership",
      ChangeLogLabels.MEMBERSHIP_ADD.id,
      ChangeLogLabels.MEMBERSHIP_ADD.fieldName,
      ChangeLogLabels.MEMBERSHIP_ADD.subjectId,
      ChangeLogLabels.MEMBERSHIP_ADD.sourceId,
      ChangeLogLabels.MEMBERSHIP_ADD.membershipType,
      ChangeLogLabels.MEMBERSHIP_ADD.groupId,
      ChangeLogLabels.MEMBERSHIP_ADD.groupName,
      ChangeLogLabels.MEMBERSHIP_ADD.memberId,
      ChangeLogLabels.MEMBERSHIP_ADD.fieldId)),

...

The GroupExactAttribute returns groups which have an exact attribute value :

Code Block
xml
xml

<resolver:DataConnector id="testFilterExactAttribute" xsi:type="grouper:GroupDataConnector">
  <grouper:Filter xsi:type="grouper:GroupExactAttribute" name="name" value="stem:group" />
</resolver:DataConnector>

...

The GroupInStem returns groups which are children of the named stem with the given scope :

Code Block
xml
xml

<resolver:DataConnector id="StemNameFilterONE" xsi:type="grouper:GroupDataConnector">
  <grouper:Filter xsi:type="grouper:GroupInStem" name="parentStem" scope="ONE" />
</resolver:DataConnector>

<resolver:DataConnector id="StemNameFilterSUB" xsi:type="grouper:GroupDataConnector">
  <grouper:Filter xsi:type="grouper:GroupInStem" name="parentStem" scope="SUB" />
</resolver:DataConnector>

...

The AND filter returns objects which match both child filters, in other words, an Intersection :

Code Block
xml
xml

<grouper:Filter xsi:type="grouper:AND">
    <grouper:Filter xsi:type="grouper:ExactAttribute" name="name" value="parentStem:group_name" />
    <grouper:Filter xsi:type="grouper:StemName" name="parentStem" scope="ONE" />
  </grouper:Filter>

...

The OR filter returns objects which match either of two child filters, in other words, a Union :

Code Block
xml
xml

<grouper:Filter xsi:type="grouper:OR">
    <grouper:Filter xsi:type="grouper:ExactAttribute" name="name" value="parentStem:group_name" />
    <grouper:Filter xsi:type="grouper:StemName" name="parentStem:childStem" scope="ONE" />
  </grouper:Filter>

...

The MINUS filter returns objects which match the result of the first child filter minus the result of the second child filter, in other words, the Complement :

Code Block
xml
xml

<grouper:GroupFilter xsi:type="grouper:Minus">
    <grouper:GroupFilter xsi:type="grouper:StemName" name="parentStem" scope="ONE" />
    <grouper:GroupFilter xsi:type="grouper:ExactAttribute" name="name" value="parentStem:group_name" />
  </grouper:GroupFilter>

...

The StemInStem filter returns stems which are children of the named stem with the given scope :

Code Block
xml
xml

<resolver:DataConnector id="StemNameFilterONE" xsi:type="grouper:GroupDataConnector">
  <grouper:Filter xsi:type="grouper:StemInStem" name="parentStem" scope="ONE" />
</resolver:DataConnector>

<resolver:DataConnector id="StemNameFilterSUB" xsi:type="grouper:GroupDataConnector">
  <grouper:Filter xsi:type="grouper:StemInStem" name="parentStem" scope="SUB" />
</resolver:DataConnector>

...

The StemNameExact filter returns stems with the given name :

Code Block
xml
xml

<resolver:DataConnector id="testFilterStemNameExact" xsi:type="grouper:StemDataConnector">
    <grouper:Filter xsi:type="grouper:StemNameExact" name="parentStem" />
  </resolver:DataConnector>

...

The ChangeLogAudit filter returns change log entries with the given audit category and or action.

Code Block
xml
xml

<grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogAudit" category="group" action="deleteGroup" />

...

The ChangeLogEntry filter returns change log entries with the given change log category and or action.

Code Block
xml
xml

<grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogEntry" category="membership" action="deleteMembership" />

...

The ChangeLogExactAttribute filter returns change log entries with the given attribute name and value.

Code Block
xml
xml

<grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogExactAttribute" name="propertyChanged" value="description" />

...

The ChangeLogAttributeAssignType filter returns change log entries with the given attribute value assign type.

Code Block
xml
xml

<grouper:Filter xsi:type="psp-grouper-changelog:ChangeLogAttributeAssignType" attributeAssignType="group" />

...

For example, the following "isMemberOf" attribute will have values consisting of the "name" of every Group :

Code Block
xml
xml

<resolver:AttributeDefinition id="isMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups" >
  <resolver:Dependency ref="GroupDataConnector" />
  <grouper:Attribute id="name" />
</resolver:AttributeDefinition>

...

For example, the following "member" attribute will have values consisting of the "name" attribute of every Member whose subject is from the "jdbc" source :

Code Block
xml
xml

<resolver:AttributeDefinition id="member" xsi:type="grouper:Member" sourceAttributeID="members" >
  <resolver:Dependency ref="GroupDataConnector" />
  <grouper:Attribute id="name" source="jdbc" />
</resolver:AttributeDefinition>

...

For example, the following "owner" attribute will have values consisting of the "name" attribute of every Subject from the "jdbc" source :

Code Block
xml
xml

<resolver:AttributeDefinition id="owner" xsi:type="grouper:Subject" sourceAttributeID="members" >
  <resolver:Dependency ref="GroupDataConnector" />
  <grouper:Attribute id="name" source="jdbc" />
</resolver:AttributeDefinition>

See Also

Exposing Groups Through Shibboleth

For an overview of authenticating to Grouper using Shib, see also the Grouper UI Training Video, around minute 7.30.

For Controlling Access to the Grouper For Protecting the UI with Shib see the Newcastle University Contribution