Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] Re: external people as group members

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] Re: external people as group members

Chronological Thread 
  • From: Jim Fox <>
  • To: Tom Barton <>
  • Cc: Grouper Dev <>
  • Subject: Re: [grouper-dev] Re: external people as group members
  • Date: Mon, 19 Apr 2010 08:41:18 -0700

We use a subject source that works with ePPN user ids. It is contained in a
table in the grouper db and is autopopulated. Whenever a subject that
resembles an ePPN appears and is not found, one is created. It is up to the
external users to find a way to login. Either their home Idp or one of the
public, self-asserted idps would work.

A not-written-yet app might one day allow editing of subject information.


On Apr 19, 2010, at 6:45 AM, Tom Barton wrote:

> <Bringing this thread back to grouper-dev because I think this topic may
> have broader interest.>
> Is there a reason to put the registration page in the grouper UI? I bet
> that almost always the reason the external person is there has nothing
> to do with grouper, as far as they know.
> What forms of external authN should the external registration page
> support? SAML & OpenID surely. Anything else?
> Will local accounts be created, eg, username/password?
> I agree with a plug-in approach for provisioning registrants, or at
> least having RDBMS & LDAP options. How about SPML? Is that statement
> even well-posed?
> Tom
> Shilen Patel wrote:
>> Hey,
>> Duke has been looking at doing something similar. We currently have a
>> separate Shibboleth IdP for external people, however, right now the
>> reason for having external people isn't for groups, but we'll probably
>> want to assign group memberships in the near to mid term. We went with
>> a separate IdP just to make sure that these people do not get into
>> applications that don't do proper authorization. So instead if an
>> application wants to allow external people, they would have to trust
>> this external IdP. Is this an issue you see yourself having?
>> What I was thinking about doing is having some sort of registration page
>> that stores the external users' identity information in our IDM. Then
>> we would synchronize that data to our LDAP (in a different suffix that's
>> not a child of what most people use as their base DN for searches).
>> This would allow us to store group memberships for external people in
>> LDAP and also allow us to use the built in LDAP subject source for them.
>> So I'm just thinking that if I was going to use this enhancement, I
>> would want the registration page to be able to use the SPML interface
>> that our IdM provides. So maybe the registration page can allow you to
>> plugin how to get and store the identity information for the external
>> people rather than assuming it's just a database table?
>> Thanks!
>> -- Shilen
>> On 4/16/10 6:08 PM, Chris Hyzer wrote:
>>> Here is an idea to discuss at dinner:
>>> Grouper could have another optional built in subject source for
>>> external people. This has columns for id, name, description (maybe more).
>>> Then we have a screen in the Grouper UI where external people can sign
>>> in with shib, and add or edit their information in that table. Then
>>> group updaters can add those external people to groups. If they cant
>>> find the people to add, then they (or with the help of the Grouper
>>> UI), can send a link via email for those people to sign in and
>>> register, and when done, they can be added to the group.
>>> At Penn we would like to have something like comanage file sharing,
>>> but we need to quicker than it seems comanage will deliver it, and I
>>> would like to use grouper, and this seems like a useful enhancement to
>>> grouper that could be used for other purposes.
>>> If anyone knows of a good open source file sharing app (sythos and
>>> basecamp were ruled out), let me know, or if you have thoughts on the
>>> grouper enhancement let me know now or at dinner… J
>>> Chris

Archive powered by MHonArc 2.6.16.

Top of Page