See below diagram for how an on-boarding staff member at Carnegie Mellon flows through our IAM infrastructure, and is provisioned resources thanks to Grouper and the GAP framework.
We've also found that application owners across campus, are able to leverage our ActiveMQ infrastructure, for provisioning/deprovisioning accounts into their own applications (hosted or in the cloud). For example, an application owner can come to us with the need to provision new staff into their application. We can provide them with sample ActiveMQ consumer code (which they can then adopt and host themselves) which will allow them to pick up on Grouper group change log messages and subsequently call the provisioning API for their application. This type of pattern has worked successfully for us, for services including Canvas and Slack.
Any questions/comments on the above, please drop me a line: Garrett King firstname.lastname@example.org
Grouper 2.1.4 was successfully deployed at Carnegie Mellon University in January 2013. Below is an architecture diagram that shows how we use Grouper in our Identity Management infrastructure.
PDF file from the IAM Online webinar