Grouper Developers Forum

["Jessica Bibbee" <>]

Grouper/Signet Combined Working Group Meeting
Spring 2007 Internet2 Member Meeting
Arlington, VA – Gateway Marriott, Salon H
April 23, 2007

*Speakers*
Tom Barton, U. Chicago (chair, Grouper)
Lynn McRae, Stanford U. (chair, Signet)

*From the Field*
Kathryn Huxtable, U. Kansas
James Cramton, Brown U.

*Attendees*
Mike Grady, UIUC
Roland Hedberg, UMU
Thomas Lenggenhager, SWITCH
John-Paul Robinson, UAB
Tom Parker, Cornell U.
Joy Veronneau, Cornell U.
Andrea Beesing, Cornell U.
Tom Dopirak, Carnegie Mellon U.
Klara Jelinkova, Duke U.
Kindra Tully, Georgetown U.
Jeremy Sarnovsky, Georgetown U.
Jim Jokl, U. Virginia
John Paschoud, LSE/JISC
David Wasley, You California
Saul Tannenbaum, Tufts U.
David Walker, UCOP
Denis Hancock, U. Missouri
Etan Weintraub, OHU
Andy Baldwin, JHU
Robert Banz, UMBC
Brendan Bellina, USC
Asbed Bedrossian, USC
Scotty Logan, Stanford U.
Heather Flanagan, Stanford U.
Bruce Vincent, Stanford U.
Anne Marie Alexander, Duke U.
IJ Kim, Internet2
Jessica Bibbee, Internet2 (scribe)

*Program URL*
     http://events.internet2.edu/2007/spring-mm/sessionDetails.cfm?session=3217&event=267

*Session Abstract*
This joint Signet and Grouper Working Group meeting will have a focus on lessons being learned through campus implementation experiences. Project leaders will also highlight what's new in the latest releases and guide discussion over product roadmaps. The session will open with a brief orientation for attendees new to these working groups. We look forward to hearing about your Grouper and Signet implementation progress, and any other discussion items related to your deployment. Please come ready to verbally present condensed feedback based on your implementation experiences. You are also welcome to bring a handout or a slide or two if that would improve the feedback.

New *Action Items*
[AI] {James} will share performance numbers with the Grouper-users mailing list.

*Agenda*
1. Agenda build
2. Orientation
3. New Releases
4. Feedback from the Field - Joy, Kathryn, James, Anne Marie-

*Agenda* - items that time did not allow for
5. Roadmap
6. passwords in xml files (sources.xml, Hibernate properties)
7. SASL

*Discussion*
{Tom} gave a brief introduction to the Identity Management model, where applications hook into the existing infrastructure. The Identity Management model can be found here: < https://wiki.internet2.edu/confluence/download/attachments/1489/0704_idm_model.jpg?version=1>.

A second diagram showing the Integration Technologies for Signet & Grouper can be found along with information on the LDAP Provisioning Connector (LDAPPC): <https://wiki.internet2.edu/confluence/display/i2miCommon/Ldappc+v1.0>.

     Additional Resources:
          .Identity and Access Management Infosheet, see: <http://www.internet2.edu/pubs/200703-IS-MW.pdf>
          .Grouper <http://www.internet2.edu/pubs/200704-IS-GRP.pdf>
          .Signet Infosheet <http://www.internet2.edu/pubs/200704-IS-SIG.pdf>

-Quickstart Demo-
{Tom and Dave} gave separate demos of the Grouper and Signet quickstart. {Tom} shared the Bristol demo, which has the option to export members. {Kathryn} added that the QuickStart option to export in CSV format works nicely on a Mac. {Joy} mentioned a few performance issues that Cornell was experiencing with the recent Grouper Release Candidate v1.2.

{Lynn} said that the changes in Signet v1.2 are foundation, meaning they will appear invisible to most. He added that there are three major areas of reengineering including:
1. a reworking of the Subject API, including a strategy for persisting subject data into Signet,
2. intentions to share 3^rd party libs across products, such that they will run/execute together under an I2MI-Common blanket, without stepping on each other's Hibernate configuration and XML strategies, and
3. a doppelganger strategy which will require less hand editing of configuration files and ultimately will reduce the installation instructions to a much simpler form.

-Feedback from the Field - Joy, Kathryn, James, Anne Marie-
{Joy} shared a Cornell perspective, as they began their replacement of PermitServer with Grouper. How could they query group memberships? As memberships are kept in a database and LDAPPC looks to be an option, they chose to do a combination of things. They still have a need to use LDAP for some applications that have to query for memberships.  Another problem they faced was whether to make group memberships accessible to all, or they finally decided that there was good reasoning to continue allowing some groups to remain hidden. If the name of a group is known, it would not need to be viewed by all in order for the query to still return the group.

{Joy} spoke of a new object class called Cornelledugroupreadpriv, which is essentially the equivalent of GrouperAll.

Look for {Joy's} slides to be posted below the meeting abstract: <http://events.internet2.edu/2007/spring-mm/sessionDetails.cfm?session=3217&event=267>.

{James} mentioned Brown Grouper and how they work out the basic information first, and apply ACLs later. In terms of exposing the attribute regarding access rights, the general framework is read/view, where one can see the group and/or its members. While they do not have the specifics for how that will be engineered, they hope to support an optin/optout capability.

{Tom} asked if they were to use LDAPPC and it had the capability to populate a list in LDAP group object, would that be sufficient. If Grouper can put it into read privileges, which would be passed on by way of the provisioning connector, rendering it in terms of the DN. {James} agreed that this functionality would meet their needs.

{Kathryn} stated that U. Kansas has deployed Grouper in Production, and are looking next to pilot some applications with Signet. She described how LDAPPC works for groups, but that she saw a need to rework some of the code to accommodate isMemberOf for people object, as it has to figure out which members have that group. This creates a massive load on the directory of nearly 70K people. A next step is to take LDAPPC and RDBPC code (see the U. Kansas wiki page for more information: <https://wiki.internet2.edu/confluence/display/GrouperWG/The+University+of+Kansas+Grouper+Page>) and look for commonalities, while taking into consideration policy and licensing reasons of applications.

She mentioned that they have not found the optin/optout privileges particularly useful. {Tom} explained that LDAPPC works only for LDAP, and does not accommodate other needs. Future areas of enhancement include1) allowing for _expression_ of changes, 2) using HSQL to build tables, and 3) using web services interface to increase performance of scaling issues by reducing run time. {Kathryn} mentioned another problem with cueing messages, which could be addressed by doing incremental changes for message passing.

{James} mentioned having performance issues with loading of 11-12K groups in the Grouper QuickStart. [AI] {James} will share performance numbers with the Grouper-users mailing list.

{Anne Marie} shared another user perspective from the management side at Duke University. She mentioned Grouper's greatest use with Itunes University. Their definition of a dynamic group is any group that can apply a filter, updated via XML as attributes change. Conversely, a static group is one that must be manually changed.  One of their largest problems is performance. Itunes U. has existed for nearly 10 semesters of class, which asks for retention policy regarding instructors, students, TAs. If a manager wants to add another admin, it times out. All maintenance must be done during the hours when no one is using it. She is looking for help with these performance issues. Though Grouper is being used just in the department now, word and interest are quickly spreading. Privacy is another matter of concern.

She expressed a general dislike of the Grouper UI at Duke and requested that it be a focus area for future development efforts.

The next Grouper Working Group call will be on Wednesday, May 2, 2007 at 12pm EDT.

-- 
Jessica Bibbee, Technical Analyst
Internet2

mobile: +1-734-255-6644

Internet2 R&E Network Members
Community, connected.
http://www.internet2.edu/renm/