Overview
As of version 2.1.0, the grouper-shib project (grouper-shib.jar) provides Data Connector extensions and Attribute Definition extensions for the Shibboleth Attribute Resolver.
Previously as of version 1.5, the Grouper API distribution (grouper.jar) provided this functionality.
Source code is available here.
Download from Maven Central.
<dependency> <groupId>edu.internet2.middleware.grouper</groupId> <artifactId>grouper-shib</artifactId> <version>2.1.0</version> </dependency>
Grouper Data Connectors
Group Data Connector
The GroupDataConnector returns attributes which represent a Grouper Group.
GroupDataConnector - Attributes
The attributes returned for a group include built-in attributes such as id, name, displayName, extension, displayExtension, and description, as well as custom attributes and attribute framework attributes.
See the Grouper Glossary for more information on attributes.
The following example will return an attribute named "description" whose value is the description of a group :
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector" />
<resolver:AttributeDefinition id="description" xsi:type="ad:Simple">
<resolver:Dependency ref="GroupDataConnector" />
</resolver:AttributeDefinition>
GroupDataConnector - Lists (Memberships)
By default, no lists (memberships) are returned by the GroupDataConnector because they may be expensive to query. Lists which should be returned as attributes may be defined using the following naming convention :
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector"> <grouper:Attribute id="<members|group>[:<all|immediate|effective|composite>[:<list name>]]" /> </resolver:DataConnector>
Default List
The following example will return an attribute named "member" whose values are the "name" of every member from the "jdbc" subject source of the default "members" list of a group :
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector"> <grouper:Attribute id="members" /> </resolver:DataConnector> <resolver:AttributeDefinition id="member" xsi:type="grouper:Member" sourceAttributeID="members" > <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="name" source="jdbc" /> </resolver:AttributeDefinition>
List Scope
The following example will return an attribute named "immediateMembers" whose values are the "name" of every immediate member from the "jdbc" source of the default "members" list of a group :
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector"> <grouper:Attribute id="members:immediate" /> </resolver:DataConnector> <resolver:AttributeDefinition id="immediateMembers" xsi:type="grouper:Member" sourceAttributeID="members:immediate" > <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="name" source="jdbc" /> </resolver:AttributeDefinition>
Custom List
The following example will return an attribute named "customMembers" whose values are the "name" of every member from the "jdbc" source of the "customList" list of a group :
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector"> <grouper:Attribute id="members:all:customList" /> </resolver:DataConnector> <resolver:AttributeDefinition id="customMembers" xsi:type="grouper:Member" sourceAttributeID="members:all:customList" > <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="name" source="jdbc" /> </resolver:AttributeDefinition>
Member Of List
The following example will return an attribute named "isMemberOf" whose values are the "name" of every group of which the group is a member of :
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector"> <grouper:Attribute id="groups" /> </resolver:DataConnector> <resolver:AttributeDefinition id="isMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups" > <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="name" /> </resolver:AttributeDefinition>
GroupDataConnector - Privileges
Attributes representing Subjects which have Access Privileges to a group may be defined by privilege name as defined in the Grouper Glossary.
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector"> <grouper:Attribute id="admins" /> <grouper:Attribute id="optins" /> <grouper:Attribute id="optouts" /> <grouper:Attribute id="readers" /> <grouper:Attribute id="updaters" /> <grouper:Attribute id="viewers" /> </resolver:DataConnector>
The following example will return an attribute named "admin" whose values are the "name" of every Subject which has the ADMIN privilege on a group :
<resolver:DataConnector id="GroupDataConnector" xsi:type="grouper:GroupDataConnector"> <grouper:Attribute id="admins" /> </resolver:DataConnector> <resolver:AttributeDefinition id="admin" xsi:type="grouper:Subject" sourceAttributeID="admins" > <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="name" source="jdbc" /> </resolver:AttributeDefinition>
Member Data Connector
The MemberDataConnector returns attributes which represent a Grouper Member. Returned attributes, lists, and privileges must be specified to maximize retrieval performance.
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector"> <grouper:Attribute id="name" /> <grouper:Attribute id="description" /> <grouper:Attribute id="groups" /> <grouper:Attribute id="admins" /> </resolver:DataConnector>
Member Data Connector - Attributes
The following example will return an attribute named "name" whose value is the name of a Member :
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector" >
<grouper:Attribute id="name" />
</resolver:DataConnector>
<resolver:AttributeDefinition id="name" xsi:type="ad:Simple">
<resolver:Dependency ref="MemberDataConnector" />
</resolver:AttributeDefinition>
Member Data Connector - Lists
The following example will return an attribute named "isMemberOf" whose values are the "name" of every Group to which the Member is a member of the default "members" list :
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector"> <grouper:Attribute id="groups" /> </resolver:DataConnector> <resolver:AttributeDefinition id="isMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups" > <resolver:Dependency ref="MemberDataConnector" /> <grouper:Attribute id="name" /> </resolver:AttributeDefinition>
Member Data Connector - Privileges
Attributes representing Groups to which a Member's subject has Access Privileges may be defined by privilege name as defined in the Grouper Glossary.
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector"> <grouper:Attribute id="admins" /> <grouper:Attribute id="optins" /> <grouper:Attribute id="optouts" /> <grouper:Attribute id="readers" /> <grouper:Attribute id="updaters" /> <grouper:Attribute id="viewers" /> </resolver:DataConnector>
The following example will return an attribute named "admin" whose values are the "name" of every Group to which the Member's subject has the ADMIN privilege :
<resolver:DataConnector id="MemberDataConnector" xsi:type="grouper:MemberDataConnector"> <grouper:Attribute id="admins" /> </resolver:DataConnector> <resolver:AttributeDefinition id="admin" xsi:type="grouper:Group" sourceAttributeID="admins" > <resolver:Dependency ref="MemberDataConnector" /> <grouper:Attribute id="name" /> </resolver:AttributeDefinition>
Stem Data Connector
The StemDataConnector returns stems from Grouper. The attributes returned for a stem include built-in attributes such as id, name, displayName, extension, displayExtension, and description, as well as custom attributes and attribute framework attributes.
<resolver:DataConnector id="StemDataConnector" xsi:type="grouper:StemDataConnector" />
Filters
Objects returned by the data connectors may be filtered.
Filter - GroupExactAttribute
The GroupExactAttribute returns groups which have an exact attribute value :
<resolver:DataConnector id="testFilterExactAttribute" xsi:type="grouper:GroupDataConnector"> <grouper:Filter xsi:type="grouper:GroupExactAttribute" name="name" value="stem:group" /> </resolver:DataConnector>
Filter - GroupInStem
The GroupInStem returns groups which are children of the named stem with the given scope :
<resolver:DataConnector id="StemNameFilterONE" xsi:type="grouper:GroupDataConnector"> <grouper:Filter xsi:type="grouper:GroupInStem" name="parentStem" scope="ONE" /> </resolver:DataConnector> <resolver:DataConnector id="StemNameFilterSUB" xsi:type="grouper:GroupDataConnector"> <grouper:Filter xsi:type="grouper:GroupInStem" name="parentStem" scope="SUB" /> </resolver:DataConnector>
Filter - AND
The AND filter returns objects which match both child filters, in other words, an Intersection :
<grouper:Filter xsi:type="grouper:AND">
<grouper:Filter xsi:type="grouper:ExactAttribute" name="name" value="parentStem:group_name" />
<grouper:Filter xsi:type="grouper:StemName" name="parentStem" scope="ONE" />
</grouper:Filter>
Filter - OR
The OR filter returns objects which match either of two child filters, in other words, a Union :
<grouper:Filter xsi:type="grouper:OR">
<grouper:Filter xsi:type="grouper:ExactAttribute" name="name" value="parentStem:group_name" />
<grouper:Filter xsi:type="grouper:StemName" name="parentStem:childStem" scope="ONE" />
</grouper:Filter>
Filter - MINUS
The MINUS filter returns objects which match the result of the first child filter minus the result of the second child filter, in other words, the Complement :
<grouper:GroupFilter xsi:type="grouper:Minus">
<grouper:GroupFilter xsi:type="grouper:StemName" name="parentStem" scope="ONE" />
<grouper:GroupFilter xsi:type="grouper:ExactAttribute" name="name" value="parentStem:group_name" />
</grouper:GroupFilter>
Filter - StemInStem
The StemInStem filter returns stems which are children of the named stem with the given scope :
<resolver:DataConnector id="StemNameFilterONE" xsi:type="grouper:GroupDataConnector"> <grouper:Filter xsi:type="grouper:StemInStem" name="parentStem" scope="ONE" /> </resolver:DataConnector> <resolver:DataConnector id="StemNameFilterSUB" xsi:type="grouper:GroupDataConnector"> <grouper:Filter xsi:type="grouper:StemInStem" name="parentStem" scope="SUB" /> </resolver:DataConnector>
Filter - StemNameExact
The StemNameExact filter returns stems with the given name :
<resolver:DataConnector id="testFilterStemNameExact" xsi:type="grouper:StemDataConnector">
<grouper:Filter xsi:type="grouper:StemNameExact" name="parentStem" />
</resolver:DataConnector>
Attribute Definition
Group Attribute Definition
The GroupAttributeDefinition returns Group attributes.
For example, the following "isMemberOf" attribute will have values consisting of the "name" of every Group :
<resolver:AttributeDefinition id="isMemberOf" xsi:type="grouper:Group" sourceAttributeID="groups" > <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="name" /> </resolver:AttributeDefinition>
Member Attribute Definition
The MemberAttributeDefinition returns Member attributes.
For example, the following "member" attribute will have values consisting of the "name" attribute of every Member whose subject is from the "jdbc" source :
<resolver:AttributeDefinition id="member" xsi:type="grouper:Member" sourceAttributeID="members" > <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="name" source="jdbc" /> </resolver:AttributeDefinition>
Subject Attribute Definition
The SubjectAttributeDefinition returns Subject attributes.
For example, the following "owner" attribute will have values consisting of the "name" attribute of every Subject from the "jdbc" source :
<resolver:AttributeDefinition id="owner" xsi:type="grouper:Subject" sourceAttributeID="members" > <resolver:Dependency ref="GroupDataConnector" /> <grouper:Attribute id="name" source="jdbc" /> </resolver:AttributeDefinition>