Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] Draft Minutes: Grouper call 11-Sept-2013

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] Draft Minutes: Grouper call 11-Sept-2013


Chronological Thread 
  • From: "William G. Thompson, Jr." <>
  • To: Emily Eisbruch <>
  • Cc: "" <>
  • Subject: Re: [grouper-dev] Draft Minutes: Grouper call 11-Sept-2013
  • Date: Thu, 19 Sep 2013 11:20:16 -0400

> CAS and OAuth and Grouper
>
> Bill noted that CAS has the ability to act as OAuth server and client. See
> https://wiki.jasig.org/display/CASUM/OAuth
> A possible proof of concept is using CAS as an authorization server, serving
> up the OAuth tokens to Grouper. Grouper would then manage access based on
> those tokens.

Sorry if I wasn't clear on the call. The proof of concept is using
CAS to deal with the OAuth protocol and Grouper to decide who
(services, people, etc) is able to get access tokens for which
services and for what scope. CAS would delegate the actual authZ
decision to Grouper but would otherwise deal with OAuth protocol.
Grouper is the PAP and PDP. CAS is the OAuth AS. The target service
is the PEP.



On Tue, Sep 17, 2013 at 4:57 PM, Emily Eisbruch
<>
wrote:
> Draft Minutes: Grouper call 11-Sept-2013
>
> Attending
>
> Tom Barton, U. Chicago (Chair)
> Jim Fox, U. Washington
> Bill Thompson, Unicon
> Chris Hyzer, U. Penn
> Shilen Patel, Duke
> Dave Langenberg, U. Chicago
> Steve Olshansky, Internet2
> Emily Eisbruch, Internet2, scribe
>
> New Action Items
>
> [AI] (Bill) provide a summary of considerations around potentially keeping
> Grouper software files on GitHub
>
> [AI] (Chris) do additional follow-up on the U. Penn Grouper security
> analysis.
>
> [AI] (Emily) put Dave's message on supporting and patching previous Grouper
> releases in the appropriate places on the Grouper website and wiki, with
> edits as needed. Inform the core group when done.
> https://spaces.internet2.edu/pages/viewpage.action?pageId=41582755
>
> Carry Over Action Items
>
> [AI] (Chris) inform the list about the new security form and the
> Grouper-Announce list.
>
> {AI] (Dave) touch base with TomZ around PSP support issues
>
> [AI] (Andrew) let us know what emerges from the Apereo security notification
> process work.
>
> [AI] (Shilen) email the Grouper-users lists to ask who is using the legacy
> attributes and ask how they are using them
>
> DISCUSSION
>
> Internet2 Website Migration
>
> https://blogs.internet2.edu/archives/1783
>
> Internet2's new website is scheduled to go live on Friday, Sept. 20
> The new website is built using Django CMS
> The plan is that redirects will be put in place from the old Grouper website
> to the new URLs
>
> TSG (Internet2 Tech Support) suggests that once the new website is place,
> Grouper software files should still be uploaded to the same location
> (webprod0). However a reverse proxy may be needed. Chris will follow up on
> this.
>
> Bill stated it maybe worth looking at using GitHub as the public repository
> for the Grouper source code
> [AI] (Bill) provide a summary of considerations around potentially keeping
> Grouper software files on GitHub
>
> French Translation of Grouper Admin UI
>
> https://lists.internet2.edu/sympa/arc/grouper-users/2013-08/msg00062.html
>
> Appreciation to Jérémy Gasperowicz of Université d'Artois for providing a
> French translation of the Grouper UI with well-encoded accents.
>
> Tom has asked Sebastian Gagne to validate the French UI and is waiting to
> hear back if Sebastian is able to do this.
>
> Chris noted that there is a feature that allows Grouper to detect the
> browser location (country) and use different text for the UI based on that
> location. We may want to keep this in mind for the future.
>
> Grouper Security
>
> Chris reported on the recent Penetration (Pen) testing of Grouper at U.
> Penn.
> Testing involved:
> -Tested URL modification
> -Testing applications security ( trying to modify groups without correct
> permissions)
> - SQL injection
> The testing did not reveal security vulnerabilities.
>
> Another security testing step is to ask the U. Penn Office of Audit and
> Compliance to run Webinspect. Chris will follow up on WebInspect
>
> [AI] (Chris) do additional follow-up on the U. Penn Grouper security
> analysis.
>
> In addition Chris will look at a tool suggested by Tom to look at cross site
> set request forgery and report back.
>
> Security Report Form
>
> The new Security Issue Report form is in place:
> https://spaces.internet2.edu/display/Grouper/Grouper+Security+Issue+Report+Form
>
> The Grouper-announce list has been established, for security notifications,
> but it will take time to get users to subscribe to it. In the meantime, the
> plan is to send security alerts to
>
> and
>
> and
>
>
> Patch history is found on this page:
> https://spaces.internet2.edu/display/Grouper/Grouper+security+patches
>
> Policy on Support of Previous Grouper Releases
>
> DaveL drafted this support policy:
> https://spaces.internet2.edu/pages/viewpage.action?pageId=41582755
>
> Emily will move this to the production area of the wiki and create the
> appropriate links to it.
>
> [AI] (Emily) put Dave's message regarding support and patching of previous
> releases in the appropriate places on the Grouper website and wiki, with
> edits as needed. Inform the core group when this is done.
> https://spaces.internet2.edu/pages/viewpage.action?pageId=41582755
>
> OAuth and Grouper
>
> OAuth is a standard that many campuses are investigating.
> Should Grouper support OAuth with Grouper Web Services?
>
> Issue: If Javascript is required to send a secret to OAuth to get the access
> token, this could be seen as a lot of work versus relying on the username
> and password and using Grouper roles to control access.
>
> -An OAuth advantage is that it's more transparent, and there is no login box
> in the user's browser.
> -Chris: Implementing OAuth is not that hard, but we should wait for a real
> world use case to emerge.
> -SURFnet wants OAuth support in the SCIM work, but beyond that, we can hold
> off on further work until there is a request.
> -Tom noted that OAuth may well become more important at U. Chicago , with
> the upcoming Workday implementation.
>
> CAS and OAuth and Grouper
>
> Bill noted that CAS has the ability to act as OAuth server and client. See
> https://wiki.jasig.org/display/CASUM/OAuth
> A possible proof of concept is using CAS as an authorization server, serving
> up the OAuth tokens to Grouper. Grouper would then manage access based on
> those tokens.
>
> Next Grouper call: Wed. 25-Sept-2013 at noon ET
>
>
> ***************************
> Upcoming Meetings
>
> -TERENA TF-EMC2 & TF-MNM, Malaga, Spain, Oct 15-17, 2013
> *-Identity Week, San Francisco, Nov 11-15, 2013
> http://www.incommon.org/idweek/
> ***************************
>
>
>
> Emily Eisbruch, Technology Transfer Analyst
> Internet2
>
> office: +1-734-352-4996 | mobile +1-734-730-5749
>



Archive powered by MHonArc 2.6.16.

Top of Page