Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] Re: external people as group members

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] Re: external people as group members

Chronological Thread 
  • From: Niels van Dijk <>
  • To: Grouper Dev <>
  • Subject: Re: [grouper-dev] Re: external people as group members
  • Date: Mon, 19 Apr 2010 16:31:57 +0200
  • Organization: SURFnet


The issue of Duke is *very* familiar.
We took a little bit different approach: We introduced a Guest IdP
(basically a LDAP + lightweight GUI). The Guest IdP has it's own
provisioning for users. So the person stuff is all in the Guest IdP.
Next we had that 'IdP' talk SAML. Our Gui for grouper supports saml
based authentication for both federation users as well as the Guest IdP.
We use institution ID + userID to uniquely reference all users in
Grouper. (My UID would be SURFnet.niels, my guest uid would be
We allow mixed guest/non-guest groups, as long as the group admin is not
a guest. We do not allow guest only groups.

I seem to have missed the start of this discussion, but what is the
business case for adding people data into Grouper? Isn't that what
Identity Management systems are for?

A bit offtopic on doc sharing:
For a good document sharing system, do you need a collab platfom?
Take a look at Alfresco, it can be made to do federated identity and
(grouper) groups quit easily (i have some code available if you want
it.) For sharing (large) files, perhaps filesender (
is what you want?


On 04/19/2010 03:45 PM, Tom Barton wrote:
> <Bringing this thread back to grouper-dev because I think this topic may
> have broader interest.>
> Is there a reason to put the registration page in the grouper UI? I bet
> that almost always the reason the external person is there has nothing
> to do with grouper, as far as they know.
> What forms of external authN should the external registration page
> support? SAML & OpenID surely. Anything else?
> Will local accounts be created, eg, username/password?
> I agree with a plug-in approach for provisioning registrants, or at
> least having RDBMS & LDAP options. How about SPML? Is that statement
> even well-posed?
> Tom
> Shilen Patel wrote:
>> Hey,
>> Duke has been looking at doing something similar. We currently have a
>> separate Shibboleth IdP for external people, however, right now the
>> reason for having external people isn't for groups, but we'll probably
>> want to assign group memberships in the near to mid term. We went
>> with a separate IdP just to make sure that these people do not get
>> into applications that don't do proper authorization. So instead if
>> an application wants to allow external people, they would have to
>> trust this external IdP. Is this an issue you see yourself having?
>> What I was thinking about doing is having some sort of registration
>> page that stores the external users' identity information in our IDM.
>> Then we would synchronize that data to our LDAP (in a different suffix
>> that's not a child of what most people use as their base DN for
>> searches). This would allow us to store group memberships for
>> external people in LDAP and also allow us to use the built in LDAP
>> subject source for them.
>> So I'm just thinking that if I was going to use this enhancement, I
>> would want the registration page to be able to use the SPML interface
>> that our IdM provides. So maybe the registration page can allow you
>> to plugin how to get and store the identity information for the
>> external people rather than assuming it's just a database table?
>> Thanks!
>> -- Shilen
>> On 4/16/10 6:08 PM, Chris Hyzer wrote:
>>> Here is an idea to discuss at dinner:
>>> Grouper could have another optional built in subject source for
>>> external people. This has columns for id, name, description (maybe
>>> more).
>>> Then we have a screen in the Grouper UI where external people can
>>> sign in with shib, and add or edit their information in that table.
>>> Then group updaters can add those external people to groups. If they
>>> cant find the people to add, then they (or with the help of the
>>> Grouper UI), can send a link via email for those people to sign in
>>> and register, and when done, they can be added to the group.
>>> At Penn we would like to have something like comanage file sharing,
>>> but we need to quicker than it seems comanage will deliver it, and I
>>> would like to use grouper, and this seems like a useful enhancement
>>> to grouper that could be used for other purposes.
>>> If anyone knows of a good open source file sharing app (sythos and
>>> basecamp were ruled out), let me know, or if you have thoughts on the
>>> grouper enhancement let me know now or at dinner… J
>>> Chris

Niels van Dijk
Advanced Services

T: +31 302 305 337 / M: +31 651 347 657
SURFnet - PO Box 19035 - NL-3501 DA Utrecht - The Netherlands -
SURFnet - We make innovation work

Archive powered by MHonArc 2.6.16.

Top of Page