| Include Page | ||||
|---|---|---|---|---|
|
Overview
As of v1.5, the Grouper API distribution, grouper.jar, provides a Data Connector Extension and Attribute Definition Extensions to version 2.1.0, the grouper-shib project (grouper-shib.jar) provides Data Connector extensions and Attribute Definition extensions for the Shibboleth Attribute Resolver.
The namespace and schema location are:
...
<AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver"
xmlns:grouper="http://grouper.internet2.edu/shibboleth/2.0"
xsi:schemaLocation="http://grouper.internet2.edu/shibboleth/2.0 classpath:/schema/shibboleth-2.0-grouper.xsd"
...
Previously as of version 1.5, the Grouper API distribution (grouper.jar) provided this functionality.
Source code is available here.
Download from Maven Central.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<dependency>
<groupId>edu.internet2.middleware.grouper</groupId>
<artifactId>grouper-shib</artifactId>
<version>2.1.0</version>
</dependency>
|
Grouper Data Connectors
Group Data Connector
The GroupDataConnector returns attributes which represent a Grouper Group.
GroupDataConnector - Attributes
The attributes returned for a group include built-in attributes such as id, name, displayName, extension, displayExtension, and description, as well as custom attributes and attribute framework attributes.
See the Grouper Glossary for more information on attributes.
The following example will return an attribute named "description" whose value is the description of a group :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector" />
<resolver:AttributeDefinition id="description" xsi:type="ad:Simple">
<resolver:Dependency ref="GroupDataConnector" />
</resolver:AttributeDefinition>
|
GroupDataConnector - Lists (Memberships)
By default, no lists (memberships)
These were chosen as part of the design for a completely new (and as yet incomplete) way to provision Grouper information into LDAP directories, and perhaps other target repository types. However, they also offer a new means of including Grouper information in Shibboleth-based SAML attribute assertions.
Sites interesting in integrating these new capabilities into their Shibboleth IdP are advised to conduct extensive testing prior to implementing in a production environment.
Grouper Data Connectors
Group Data Connector
The GroupDataConnector returns attributes which represent a Grouper Group.
GroupDataConnector - Attributes
By default, all attributes (default and custom) of a group are returned by the GroupDataConnector. The names of default attributes are defined in the Grouper Glossary : id, name, displayName, extension, displayExtension, and description.
The following example will return an attribute named "description" whose value is the description of a group :
...
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector" />
<resolver:AttributeDefinition id="description" xsi:type="ad:Simple">
<resolver:Dependency ref="GroupDataConnector" />
</resolver:AttributeDefinition>
GroupDataConnector - Lists
By default, no lists are returned by the GroupDataConnector because they may be expensive to query. Lists which should be returned as attributes may be defined using the following naming convention :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
<grouper:Attribute id="<members|group>[:<all|immediate|effective|composite>[:<list name>]]" />
</resolver:DataConnector>
|
...
The following example will return an attribute named "member" whose values are the "name" of every Member member from the "jdbc" subject source of the default "members" list of a group :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
<grouper:Attribute id="members" />
</resolver:DataConnector>
<resolver:AttributeDefinition id="member" xsi:type="grouper:Member" sourceAttributeID="members" >
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="name" source="jdbc" />
</resolver:AttributeDefinition>
|
...
The following example will return an attribute named "immediateMembers" whose values are the "name" of every immediate Member of the member from the "jdbc" source of the default "members" list of a group :
...
The following example will return an attribute named "customMembers" whose values are the "name" of every Member member from the "jdbc" source of the "customList" list of a group :
...
The following example will return an attribute named "isMemberOf" whose values are the "name" of every Group group of which the group is a member of :
...
Attributes representing Subjects which have Access Privileges to a group may be defined by privilege name as defined in the Grouper Glossary.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
<grouper:Attribute id="admins" />
<grouper:Attribute id="optins" />
<grouper:Attribute id="optouts" />
<grouper:Attribute id="readers" />
<grouper:Attribute id="updaters" />
<grouper:Attribute id="viewers" />
</resolver:DataConnector>
|
The following example will return an attribute named "admin" whose values are the "name" of every Subject which has the ADMIN privilege on a group :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector">
<grouper:Attribute id="admins" />
</resolver:DataConnector>
<resolver:AttributeDefinition id="admin" xsi:type="grouper:Subject" sourceAttributeID="admins" >
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="name" source="jdbc" />
</resolver:AttributeDefinition>
|
...
The MemberDataConnector returns attributes which represent a Grouper Member. The Returned attributes, lists, and privileges to be returned must be definedspecified to maximize retrieval performance.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector"> <grouper:Attribute id="name" source="jdbc" /> <grouper:Attribute id="description" source="jdbc" /> <grouper:Attribute id="groups" /> <grouper:Attribute id="admins" /> </resolver:DataConnector> |
...
The following example will return an attribute named "name" whose value is the name of a Member :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector" > <grouper:Attribute id="name" source="jdbc" /> </resolver:DataConnector> <resolver:AttributeDefinition id="name" xsi:type="ad:Simple"> <resolver:Dependency ref="MemberDataConnector" /> </resolver:AttributeDefinition> |
...
The following example will return an attribute named "isMemberOf" whose values are the "name" of every Group to which the Member is a member of the default "members" list :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector">
<grouper:Attribute id="groups" />
</resolver:DataConnector>
<resolver:AttributeDefinition id="isMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups" >
<resolver:Dependency ref="MemberDataConnector" />
<grouper:Attribute id="name" />
</resolver:AttributeDefinition>
|
...
Attributes representing Groups to which a Member's subject has Access Privileges may be defined by privilege name as defined in the Grouper Glossary.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector">
<grouper:Attribute id="admins" />
<grouper:Attribute id="optins" />
<grouper:Attribute id="optouts" />
<grouper:Attribute id="readers" />
<grouper:Attribute id="updaters" />
<grouper:Attribute id="viewers" />
</resolver:DataConnector>
|
The following example will return an attribute named "admin" whose values are the "name" of every Group to which the Member's subject has the ADMIN privilege :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector"> <grouper:Attribute id="admins" /> </resolver:DataConnector> <resolver:AttributeDefinition id="admin" xsi:type="grouper:Group" sourceAttributeID="admins" > <resolver:Dependency ref="MemberDataConnector" /> <grouper:Attribute id="name" /> </resolver:AttributeDefinition> |
Stem Data Connector
ref="MemberDataConnector" />
<grouper:Attribute id="name" />
</resolver:AttributeDefinition>
|
Stem Data Connector
The StemDataConnector returns stems from Grouper. The attributes returned for a stem include built-in attributes such as id, name, displayName, extension, displayExtension, and description, as well as custom attributes and attribute framework attributes.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="StemDataConnector" xsi:type="grouper:StemDataConnector" />
|
Filters
Objects returned by the data connectors may be filtered.
Filter - GroupExactAttribute
The GroupExactAttribute returns groups which have an exact attribute value :The StemDataConnector returns stems from Grouper.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="StemDataConnectortestFilterExactAttribute" xsi:type="grouper:StemDataConnector:GroupDataConnector"> <grouper:Filter xsi:type="grouper:GroupExactAttribute" name="name" value="stem:group" /> |
Group Filters
</resolver:DataConnector>
|
Filter - GroupInStem
The GroupInStem returns groups which are children of the named stem with the given scope :The subset of Groups to be returned by the GroupDataConnector or memberships returned by the MemberDataConnector may be filtered.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="GroupDataConnectorStemNameFilterONE" xsi:type="grouper:GroupDataConnector"> <grouper:GroupFilterFilter xsi:type="grouper:MinusGroupInStem"> name="parentStem" <grouper:GroupFilter xsi:type="grouper:StemName" name="um:manual" scope="SUB" /> <grouper:GroupFilterscope="ONE" /> </resolver:DataConnector> <resolver:DataConnector id="StemNameFilterSUB" xsi:type="grouper:GroupDataConnector"> <grouper:Filter xsi:type="grouper:ExactAttributeGroupInStem" name="GROUP.statusparentStem" valuescope="NO_PROVISIONINGSUB" /> </grouper:GroupFilter> </resolver:DataConnector> |
...
Filter - AND
The ExactAttributeGroupFilter AND filter returns groups which possess an exact attribute value objects which match both child filters, in other words, an Intersection :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="testFilterExactAttribute" <grouper:Filter xsi:type="grouper:AND"> <grouper:Filter xsi:type="grouper:GroupDataConnector"> ExactAttribute" name="name" value="parentStem:group_name" /> <grouper:GroupFilterFilter xsi:type="grouper:ExactAttributeStemName" name="nameparentStem" valuescope="stem:group_nameONE" /> </resolvergrouper:DataConnector>Filter> |
...
Filter - OR
The StemNameGroupFilter OR filter returns groups objects which are children of the named stem with the given scope match either of two child filters, in other words, a Union :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="StemNameFilterONE" <grouper:Filter xsi:type="grouper:GroupDataConnectorOR"> <grouper:GroupFilterFilter xsi:type="grouper:StemNameExactAttribute" name="parentStemname" scopevalue="ONEparentStem:group_name" /> </resolver:DataConnector> <resolver:DataConnector id="StemNameFilterSUB" xsi:type="grouper:GroupDataConnector"> <grouper:GroupFilterFilter xsi:type="grouper:StemName" name="parentStem:childStem" scope="SUBONE" /> </resolvergrouper:DataConnector> |
...
Filter>
|
Filter - MINUS
The AndGroupFilter MINUS filter returns groups which match two group filters, e.g. an Intersection objects which match the result of the first child filter minus the result of the second child filter, in other words, the Complement :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="AndFilter" xsi:type="grouper:GroupDataConnector"> <grouper:GroupFilter xsi:type="grouper:ANDMinus"> <grouper:GroupFilter xsi:type="grouper:ExactAttributeStemName" name="nameparentStem" valuescope="parentStem:group_nameONE" /> <grouper:GroupFilter xsi:type="grouper:StemNameExactAttribute" name="parentStemname" scopevalue="ONEparentStem:group_name" /> </grouper:GroupFilter> </resolver:DataConnector> |
...
Filter - StemInStem
The OrGroupFilter StemInStem filter returns groups stems which match either of two group filters, e.g. a Union are children of the named stem with the given scope :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:DataConnector id="OrFilterStemNameFilterONE" xsi:type="grouper:GroupDataConnector"> <grouper:GroupFilter xsi:type="grouper:OR"> <grouper:GroupFilter xsi:type="grouper:ExactAttribute" name="name" value="parentStem:group_name" /> <grouper:GroupFilterFilter xsi:type="grouper:StemNameStemInStem" name="parentStem:childStem" scope="ONE" /> </grouper:GroupFilter> </resolver:DataConnector> |
MinusGroupFilter
The MinusGroupFilter returns groups which match the result of the first group fiter minus the result of the second group filter, e.g. the Complement :
| Code Block | ||
|---|---|---|
| xml | xml | <resolver:DataConnector id="MinusFilterStemNameFilterSUB" xsi:type="grouper:GroupDataConnector"> <grouper:Filter xsi:type="grouper:StemInStem" name="parentStem" scope="grouper:GroupDataConnector">"SUB" /> </resolver:DataConnector> |
Filter - StemNameExact
The StemNameExact filter returns stems with the given name :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<grouper<resolver:GroupFilterDataConnector xsi:typeid="grouper:Minus"> <grouper:GroupFiltertestFilterStemNameExact" xsi:type="grouper:StemName" name="parentStem" scope="ONE" /StemDataConnector"> <grouper:GroupFilterFilter xsi:type="grouper:ExactAttribute" name="nameStemNameExact" valuename="parentStem:group_name" /> </grouper:GroupFilter> </resolver:DataConnector> |
Attribute Definition
Group Attribute Definition
The Grouper GroupAttributeDefinition creates an attribute whose values are the attribute values of every GroupGroupAttributeDefinition returns Group attributes.
For example, the following "isMemberOf" attribute will have values consisting of the "name" of every Group :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:AttributeDefinition id="isMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups" >
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="name" />
</resolver:AttributeDefinition>
|
Member Attribute Definition
The Grouper MemberAttributeDefinition creates an attribute whose values are the subject attribute values of every MemberMemberAttributeDefinition returns Member attributes.
For example, the following "member" attribute will have values consisting of the "name" attribute of every Member whose subject is from the "jdbc" source :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:AttributeDefinition id="member" xsi:type="grouper:Member" sourceAttributeID="members" >
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="name" source="jdbc" />
</resolver:AttributeDefinition>
|
Subject Attribute Definition
The Grouper SubjectAttributeDefinition creates an attribute whose values are attribute values of every SubjectSubjectAttributeDefinition returns Subject attributes.
For example, the following "owner" attribute will have values consisting of the "name" attribute of every Subject from the "jdbc" source :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<resolver:AttributeDefinition id="owner" xsi:type="grouper:Subject" sourceAttributeID="members" >
<resolver:Dependency ref="GroupDataConnector" />
<grouper:Attribute id="name" source="jdbc" />
</resolver:AttributeDefinition>
|