Subject: Grouper Developers Forum
List archive
- From: Emily Eisbruch <>
- To: "" <>, "()" <>
- Subject: [grouper-dev] Notes from Grouper BOF at 2015 Global Summit, 4/30/2015
- Date: Tue, 5 May 2015 19:12:12 +0000
- Accept-language: en-US
- Authentication-results: internet2.edu; dkim=none (message not signed) header.d=none;
Notes from Grouper BOF at 2015 Global Summit,
4/30/2015
Tom
Barton welcomed the group
Topics
of interest from the attendees:
Getting
Started with Grouper
-
U
of Arkansas is are looking at increasing focus on IdM.
-
Access
control is a big part; looking at Grouper, want to establish centralized roles
-
University
of Maryland Baltimore County is looking at Grouper
-
currently
they have many individual systems w access rights
-
Using
centralized groups could add efficiency
-
Looking
at TIER and want to be set with Grouper as a lead in to TIER
-
Allow
a campus to easily implement a small use case to get successful
-
how
to do the 5-6 things
-
How
to get stuff in and get stuff out of Grouper
-
Too
much reinventing has to happen now
Federated
Groups
-
How
can federated groups be useful?
-
Could
the community suggest a common naming scheme that's useful to all institutions?
-
What
are the use cases?
-
Example:
Researchers at multiple universities need a group for a Virtual Organization (VO)
ScottK
from LIGO:
-
LIGO
not a good example for this approach, since LIGO controls our own groups
-
Use
case could be between LIGO and other astronomy groups; union of LIGO scientists
-
this
should be an international conversation
-
Albert:
UCLA is provisioning PSP
-
does
full transformation the way Shib attribute release does
-
Can
slice and dice suitable for the target
-
UCLA
will contribute this to the Grouper wiki to benefit the community
-
UCLA
has a parallel use case with Net+ cloud services
-
TomB:
a group membership can have an access control outcome embodied by a token, instead of being in group
-
I
can log in with a token
-
managing
groups in a federated context has challenges
-
what
does federated groups really address?
-
other
use case is you have the role
-
according
to the context, such as Amazon web service
-
you
have admin role for this security group
-
that's
more of a direct assertion of yes you have access
-
Technically
the same thing
-
separating
out helps in terms of naming
-
Tom:
Attribute release can be an issue
-
sometimes
you can't get to service because institution will not release EPPN
-
Don't
want to overload the attribute release issue with need to release what groups someone belongs to; Look for other ways to deal with it
-
suggestion:
have an attribute called “status”
Post
PSP Provisioning
-
See
description
on the Grouper wiki
-
Grouper
tried the PSP provisioning approach using SPML, but found it had limitations
-
PSP
will stay, but the Grouper project won't enhance it, limited maintenance
-
The
Grouper provisioning approach moving forward will be message based
-
We
will support incremental provisioning by reading events off the message queue
-
Grouper will support bulk reconciliation
-
hope
sites can continue using their own messaging
-
Need
to be able to provision to LDAP and AD out of the box
-
There
will be a limited internal message internal substrate within Grouper to get provisioning messages to LDAP and AD
Q:
Will there be listeners?
A:
yes
-
UCLA
is interested in bidirectional sync
-
Doing
Shib integration with a medical center.
-
for
connecting w independent orgs, like the med center, auditing on Groups is helpful.
Mark your calendar:
June
10, 2015 at 2pm ET
IAM
Online to focus on Grouper deployment stories
Emily Eisbruch, Work Group Lead, Trust and Identity
Internet2
office: +1-734-352-4996 | mobile +1-734-730-5749
|
- [grouper-dev] Notes from Grouper BOF at 2015 Global Summit, 4/30/2015, Emily Eisbruch, 05/05/2015
Archive powered by MHonArc 2.6.16.