If your deployment only requires administrator access to the Grouper UI then using basic auth for the 'GrouperSystem' account may be sufficient.

If, however, you expect COmanage Registry users to also access the Grouper UI then you may wish to configure your SSO system, such as SAML/Shibboleth, so that users access the Grouper UI using SSO. Having users access the Grouper UI with SSO requires that the identifier provided by the SSO system to the Grouper UI match a login identifier for a subject or user known to Grouper. Specifically the identifier that the SSO system provides to the Grouper UI should match the identifier you configured in the Grouper Provisioner in the "Grouper subject UI login identifier" drop down menu.

Before making configuration changes to your SSO system for the Grouper UI, we recommend you first configure Grouper to enable a "wheel" group (subjects in the wheel group will be able to access Grouper as if they were the GrouperSystem user) and add at least one administrator user (often the CO administrator) to the wheel group:

  1. Edit the file /opt/grouper/grouper.apiBinary-2.2.2/conf/grouper.properties and add the lines

    configuration.autocreate.system.groups = true
groups.wheel.use = true

  2. Copy the edited grouper.properties files into location in the UI and WS directories:

    /opt/grouper/grouper.ws-2.2.2/grouper-ws/build/dist/grouper-ws/WEB-INF/classes/grouper.properties
/opt/grouper/grouper.ui-2.2.2/dist/grouper/WEB-INF/classes/grouper.properties

  3. Start the Grouper shell:

    cd /opt/grouper/grouper.apiBinary-2.2.2
sudo -u tomcat6 ./bin/gsh.sh

    As GSH starts up you should see the text

    Grouper warning: cannot find group from config: wheel group from grouper.properties key: groups.wheel.group: etc:sysadmingroup
Grouper note: auto-created wheel group from grouper.properties key: groups.wheel.group: etc:sysadmingroup
  4. Restart Tomcat.
  5. Browse to the Grouper UI and login as the GrouperSystem user using basic auth.
  6. Use the Grouper UI to add the CO administrator to the ect:sysadmingroup.
  7. Configure your SSO system so that the identifier provided to the Grouper UI (usually via the $REMOTE_USER Apache environment variable) for an authenticated user is the identifier you configured in the Grouper provisioner in the "Grouper subject UI login identifier" drop down menu. A common deployment pattern with SAML/Shibboleth is to have the Shibboleth SP use the eduPersonPrincipalName (eppn) asserted by the user's IdP to query a SAML attribute authority populated by the COmanage Registry to retrieve the associated identifier. 

 

If a COmanage Registry platform administrator needs to access the Grouper UI and have "root" privileges but is not part of the CO, you can configure a Grouper Provisioner for the default COmanage CO and add another source of subjects in the Grouper sources.xml file. Be sure that you have a mechanism for your SSO system to resolve the appropriate identifier and make it available to the Grouper UI.

 

 

  • No labels