Grouper Developers Forum

[Emily Eisbruch <>]

Bill, 
Thank you for the clarification. I will correct the Grouper call minutes
before posting them to the wiki.
- Emily

Emily Eisbruch, Technology Transfer Analyst
Internet2

office: +1-734-352-4996 | mobile +1-734-730-5749

Visit our website: www.internet2.edu <http://www.internet2.edu/>
Follow us on Twitter: www.twitter.com/internet2
<http://www.twitter.com/internet2>
Become a Fan on Facebook: www.internet2.edu/facebook
<http://www.internet2.edu/facebook>









On 9/19/13 11:20 AM, "William G. Thompson, Jr." 
<>
 wrote:

>> CAS and OAuth and Grouper
>>
>> Bill noted that CAS has the ability to act as OAuth server and client.
>>See
>> https://wiki.jasig.org/display/CASUM/OAuth
>> A possible proof of concept is using CAS as an authorization server,
>>serving
>> up the OAuth tokens to Grouper. Grouper would then manage access based
>>on
>> those tokens.
>
>Sorry if I wasn't clear on the call.  The proof of concept is using
>CAS to deal with the OAuth protocol and Grouper to decide who
>(services, people, etc) is able to get access tokens for which
>services and for what scope.  CAS would delegate the actual authZ
>decision to Grouper but would otherwise deal with OAuth protocol.
>Grouper is the PAP and PDP.  CAS is the OAuth AS.  The target service
>is the PEP.
>
>
>
>On Tue, Sep 17, 2013 at 4:57 PM, Emily Eisbruch 
><>
>wrote:
>> Draft Minutes: Grouper call 11-Sept-2013
>>
>> Attending
>>
>> Tom Barton, U. Chicago (Chair)
>> Jim Fox, U. Washington
>> Bill Thompson, Unicon
>> Chris Hyzer, U. Penn
>> Shilen Patel, Duke
>> Dave Langenberg, U. Chicago
>> Steve Olshansky, Internet2
>> Emily Eisbruch, Internet2, scribe
>>
>> New Action Items
>>
>> [AI] (Bill) provide a summary of considerations around potentially
>>keeping
>> Grouper software files on GitHub
>>
>> [AI] (Chris) do additional follow-up on the U. Penn Grouper security
>> analysis.
>>
>> [AI] (Emily) put Dave's message on supporting and patching previous
>>Grouper
>> releases in the appropriate places on the Grouper website and wiki, with
>> edits as needed. Inform the core group when done.
>> https://spaces.internet2.edu/pages/viewpage.action?pageId=41582755
>>
>> Carry Over Action Items
>>
>> [AI] (Chris) inform the list about the new security form and the
>> Grouper-Announce list.
>>
>> {AI] (Dave) touch base with TomZ around PSP support issues
>>
>> [AI] (Andrew) let us know what emerges from the Apereo security
>>notification
>> process work.
>>
>> [AI] (Shilen) email the Grouper-users lists to ask who is using the
>>legacy
>> attributes and ask how they are using them
>>
>> DISCUSSION
>>
>> Internet2 Website Migration
>>
>> https://blogs.internet2.edu/archives/1783
>>
>> Internet2's new website is scheduled to go live on Friday, Sept. 20
>> The new website is built using Django CMS
>> The plan is that redirects will be put in place from the old Grouper
>>website
>> to the new URLs
>>
>> TSG (Internet2 Tech Support) suggests that once the new website is
>>place,
>> Grouper software files should still be uploaded to the same location
>> (webprod0). However a reverse proxy may be needed. Chris will follow up
>>on
>> this.
>>
>> Bill stated it maybe worth looking at using GitHub as the public
>>repository
>> for the Grouper source code
>> [AI] (Bill) provide a summary of considerations around potentially
>>keeping
>> Grouper software files on GitHub
>>
>> French Translation of Grouper Admin UI
>>
>> 
>>https://lists.internet2.edu/sympa/arc/grouper-users/2013-08/msg00062.html
>>
>> Appreciation to Jérémy Gasperowicz of Université d'Artois for providing
>>a
>> French translation of the Grouper UI with well-encoded accents.
>>
>> Tom has asked Sebastian Gagne to validate the French UI and is waiting
>>to
>> hear back if Sebastian is able to do this.
>>
>> Chris noted that there is a feature that allows Grouper to detect the
>> browser location (country) and use different text for the UI based on
>>that
>> location. We may want to keep this in mind for the future.
>>
>> Grouper Security
>>
>> Chris reported on the recent Penetration (Pen) testing of Grouper at U.
>> Penn.
>> Testing involved:
>> -Tested URL modification
>>  -Testing applications security ( trying to modify groups without
>>correct
>> permissions)
>> - SQL injection
>> The testing did not reveal security vulnerabilities.
>>
>> Another security testing step is to ask the U. Penn Office of Audit and
>> Compliance to run Webinspect. Chris will follow up on WebInspect
>>
>> [AI] (Chris) do additional follow-up on the U. Penn Grouper security
>> analysis.
>>
>> In addition Chris will look at a tool suggested by Tom to look at cross
>>site
>> set request forgery and report back.
>>
>> Security Report Form
>>
>> The new Security Issue Report form is in place:
>> 
>>https://spaces.internet2.edu/display/Grouper/Grouper+Security+Issue+Repor
>>t+Form
>>
>> The Grouper-announce list has been established, for security
>>notifications,
>> but it will take time to get users to subscribe to it. In the meantime,
>>the
>> plan is to send security alerts to 
>> 
>>  and
>> 
>>  and 
>> 
>>
>> Patch history is found on this page:
>> https://spaces.internet2.edu/display/Grouper/Grouper+security+patches
>>
>> Policy on Support of Previous Grouper Releases
>>
>> DaveL drafted this support policy:
>> https://spaces.internet2.edu/pages/viewpage.action?pageId=41582755
>>
>> Emily will move this to the production area of the wiki and create the
>> appropriate links to it.
>>
>> [AI] (Emily) put Dave's message regarding support and patching of
>>previous
>> releases in the appropriate places on the Grouper website and wiki, with
>> edits as needed. Inform the core group when this is done.
>> https://spaces.internet2.edu/pages/viewpage.action?pageId=41582755
>>
>> OAuth and Grouper
>>
>> OAuth is a standard that many campuses are investigating.
>> Should Grouper support OAuth with Grouper Web Services?
>>
>> Issue: If Javascript is required to send a secret to OAuth to get the
>>access
>> token, this could be seen as a lot of work versus relying on the
>>username
>> and password and using Grouper roles to control access.
>>
>> -An OAuth advantage is that it's more transparent, and there is no
>>login box
>> in the user's browser.
>> -Chris: Implementing OAuth is not that hard, but we should wait for a
>>real
>> world use case to emerge.
>> -SURFnet wants OAuth support in the SCIM work, but beyond that, we can
>>hold
>> off on further work until there is a request.
>> -Tom noted that OAuth may well become more important at U. Chicago ,
>>with
>> the upcoming Workday implementation.
>>
>> CAS and OAuth and Grouper
>>
>> Bill noted that CAS has the ability to act as OAuth server and client.
>>See
>> https://wiki.jasig.org/display/CASUM/OAuth
>> A possible proof of concept is using CAS as an authorization server,
>>serving
>> up the OAuth tokens to Grouper. Grouper would then manage access based
>>on
>> those tokens.
>>
>> Next Grouper call: Wed. 25-Sept-2013 at noon ET
>>
>>
>> ***************************
>> Upcoming Meetings
>>
>> -TERENA TF-EMC2 & TF-MNM, Malaga, Spain, Oct 15-17, 2013
>> *-Identity Week, San Francisco, Nov 11-15, 2013
>> http://www.incommon.org/idweek/
>> ***************************
>>
>>
>>
>> Emily Eisbruch, Technology Transfer Analyst
>> Internet2
>> 
>> office: +1-734-352-4996 | mobile +1-734-730-5749
>>
>