Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] cookbook for protecting Grouper UI using Shibboleth

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] cookbook for protecting Grouper UI using Shibboleth

Chronological Thread 
  • From: David Langenberg <>
  • To: Rob Gorrell <>
  • Cc:
  • Subject: Re: [grouper-users] cookbook for protecting Grouper UI using Shibboleth
  • Date: Thu, 9 May 2013 13:54:19 -0600
  • Authentication-results:; dkim=neutral (message not signed) header.i=none

Hi Rob,

Looking at it, it seems your IdP has not released ePPN to your SP. That
looks more like an eduPersonTargetedId. I'd first take a look at your
attribute-filter.xml on the IdP to ensure your Grouper SP is getting the
necessary attributes. Then ensure that your attribute-map.xml in the
Grouper SP is setup to properly map them. Finally be sure that in the
Grouper SP shibboleth2.xml you define remote_user to include the correct

In our install here, we send UID from the IdP and map that to

As for grouper-shib.jar in maven. What that does is provide a way to
plug grouper into the Shibboleth IdP Attribute Resolver. It's used
primarily by the Grouper PSP (and can be used by the Shib IdP).


At 2013., in
"Rob Gorrell"
> I was wondering if there were any good soup-to-nuts references for the
> novice Grouper user in controlling Grouper UI authentication using
> Shibboleth? I'm working on a first time Grouper deployment and was
> interested with the notion of using shibb as the authentication mechanism
> to the UI. I had hoped the path would be a little more straightforward
> with where these two products come from, but then again, Grouper (and
> even
> shibb) are still pretty new to me.
> I found the Newcastle wiki material
> (
> as well as the notes in the Grouper Hosted on a Cloud
> (
> about using shibb with grouper and with this, have been successful in
> setting up an SP that is protecting my Group UI instance, redirecting me
> to my IdP, authenticating me and dumping me back at the Grouper UI with
> an
> established shibb session, but then Grouper UI is telling me "Error: Cant
> find login subject
> What I seem to be missing (and doesn't seem explained in the Newcastle
> article) is how to map the shibb eppn + attributes into the Grouper
> $REMOTE_USER so that shibb user is identified and matched to a grouper
> subject? I also was stumbling across some information about
> grouper-shib.jar over at Maven... is that possibly where this component
> comes into play?
> I was hoping someone might be able to give me a conceptual high level
> direction of whats involved in shibbolizing the UI geared at those that
> aren't experts in either grouper or shibboleth... or is this road I've
> embarked down not for the faint of heart?
> Thanks,
> -Rob
> --
> Robert W. Gorrell
> Middleware Engineer, Identity and Access Management
> University of NC at Greensboro
> 336-334-5954
[End of excerpt from

David Langenberg
Identity & Access Management
The University of Chicago

Archive powered by MHonArc 2.6.16.

Top of Page