Grouper Users - Open Discussion List

[Dan Sellars <>]

Hello Tom,

Thanks for the response. The answer to the external subject store is pretty much what I expected but thanks for clarifying. Oh and I just realized when I read back through what I wrote, that I intended to say that I need something to manage the authorization, not authentication. Which I think is where Grouper fits in.

To clarify may understanding, when I have a separate identity store set up and I want to add/delete new users then I will need to be using whatever native API is provided my that system and then Grouper could be used for finding out what authorization the users have once they are entered and set up?

Finally with regard to accessing attributes from a Subject that are provided by the external identity store, such as email address, is that possible through the Java client API? Or again does this need to dip into the native store?

Cheers,

Dan     

From: Tom Barton <>
Date: Tuesday, 1 October, 2013 7:00 PM
To: "" <>
Subject: Re: [grouper-users] Using the Java Client API

Hi Dan,

Welcome to our community! Identity and Access Management can cover a lot of capabilities and needs, so you're likely to need a corresponding amount of patience as you climb that curve.

To answer your first question, yes, you really do need an external Subject repository if your intention is to put a production access management service into place. LDAP is often used as a Subject repository, quite successfully.

Grouper's role in a larger access management solution is illustrated by this high level architecture diagram:

https://spaces.internet2.edu/display/Grouper/Architectural+Diagram

A one-line synopsis of what each component in that diagram does, together with links to further info, is in

https://spaces.internet2.edu/display/Grouper/Grouper+Components+Overview

Note in particular that the Subject API is only exposed to the Java API on a read-only basis. Its purpose is to abstract the details of how your Subjects are represented in their native store so that grouper can integrate with it.

The internal Subject tables were designed specifically to support a self-contained demo instance of Grouper with canned dummy Subjects. There is no API to maintain them beyond low level database access.

Where to go next? The Planning Guide might help a little. Others on this list might have favorite IAM overview references to pass along. And the EDUCAUSE IdM list and its archives are a good source of lots of material and a good way to connect with others sharing some of your specific IAM needs.

Thanks,
Tom

On 10/1/2013 3:09 PM, Dan Sellars wrote:

Hello,

I am new to using Grouper and I am currently investigating and prototyping to see if it will fit our needs. Identity management is a fairly new subject area to me, so there may be a lot of background information that I am lacking around what I am trying to do.  Basically I want a system that I can use to manage the authentication of users. Grouper seems to fit what I need but I am having trouble working out some basic functionality. So I appreciate any help you can provide.

Firstly, do I need to use an external Subject repository such as LDAP for a small deployment or is it possible to use the internal 'subject' and 'subjectattribute' tables?

If so:

How do I add a new Subject via the java client api? The only ways I have seen are by using gsh or an sql script. I have tried to use something like the following from my web app:

GcAddMember addMember = new GcAddMember(); 

WsSubjectLookup actAsSubject = new WsSubjectLookup("GrouperSystem", null, null);

addMember.assignActAsSubject(actAsSubject);

addMember.addSubjectId(username.toLowerCase().replaceAll(" ", "."));

addMember.addSubjectIdentifier(username); addMember.assignGroupName("qsuob:all");

addMember.assignAddExternalSubjectIfNotFound(true);

WsAddMemberResults wsResult = addMember.execute();

But this gives an exception:

edu.internet2.middleware.subject.SourceUnavailableException: Cant find source with id: 'grouperExternal', Possible source id's: 'g:gsa', 'grouperEntities', 'jdbc', 'g:isa',

This part of the API seems to be more about just adding an existing subject to a group, which I have successfully managed to do. So I am unsure where to look next.

How do I read attributes about a Subject? For example I want to have an email address attribute and once I have found a Subject then be able to retrieve the email address from it. I have tried the following but to no effect, I am not even sure if I am using the API correctly.

WsSubjectLookup lookup = new WsSubjectLookup();

lookup.setSubjectId(username);

WsGetAttributeAssignmentsResults attrs = new GcGetAttributeAssignments().addOwnerSubjectLookup(lookup).execute();  

When I try this I get an exception like:

java.lang.RuntimeException: attributeAssignType is required: edu.internet2.middleware.grouperClient.api.GcGetAttributeAssignments@187f73e5

I have tried to look for somewhere that I could set the attribute type but could not find it.

I have managed to retrieve a Subject based on it's subject id using:

WsSubjectLookup lookup = new WsSubjectLookup();

lookup.setSubjectId(username);

WsGetSubjectsResults sResults = new GcGetSubjects().addWsSubjectLookup(lookup).assignIncludeSubjectDetail(true).execute();

Is this the most efficient way of doing it?

If there is some more documentation around this or specific examples of these kind of fairly basic tasks then just pointing me there would be great. I have been hunting around the website here https://spaces.internet2.edu/display/Grouper/Grouper+Client, here https://spaces.internet2.edu/display/Grouper/Subject+API, watched the related video tracks and downloaded the source to look at the client API so I am not sure where to go next.

Thanks in advance,

Dan.

-- 
Tom Barton
Senior Director for Architecture, Integration, and Security
Chief Information Security Officer
Information Technology Services
University of Chicago
+1 773 834 1700 (office)