Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] SPML2 and understanding the psp-resolver.xml file

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] SPML2 and understanding the psp-resolver.xml file


Chronological Thread 
  • From: David Langenberg <>
  • To: Scott Koranda <>
  • Cc: David Vezzani <>, "" <>, Brian Koehmstedt <>, John Kamminga <>
  • Subject: Re: [grouper-users] SPML2 and understanding the psp-resolver.xml file
  • Date: Thu, 2 Oct 2014 11:44:46 -0600

 disagree with 1.

https://spaces.internet2.edu/display/Grouper/Post+PSP+Provisioning#PostPSPProvisioning-FirstImplementations mentions that we'll first implement an AD and and LDAP provisioner.  AD/LDAP provisioning support out of the box is non-optional from my point of view.  Now, that said, the PSP is maddeningly complex to configure, so there will be a few trades made to favor easier configuration / deployment.   This means if you have use-cases that are closer to the edge, you may need to write some code to do the AD/LDAP provisioning.  

As for 2, that's still up in the air.  On the last dev call where we discussed provisioning it was decided that a strong desire (not quite to the level of requirement, but EXTREMELY close) would be to support wiring this all together directly somehow so that deployers who do not want to also deploy a message broker / or rent one from Amazon wouldn't have to.

Dave


On Thu, Oct 2, 2014 at 11:29 AM, Scott Koranda <> wrote:
Hi David,

Based on what I read on that wiki page, is this a fair statement:

The Grouper team may release a version of Grouper in the future that
will not provision to LDAP without a deployer having to take one of
these two actions: (1) Writing Java code, or (2) deploying a message
queue/broker.

Thanks,

Scott K for LIGO


On Thu, Oct 2, 2014 at 12:19 PM, David Langenberg <> wrote:
> Hi Dave,
>
> The plans for the post-PSP world are being written/discussed/firmed up here:
>
> https://spaces.internet2.edu/display/Grouper/Post+PSP+Provisioning
>
> I welcome any comments, criticisms, suggestions, etc.
>
> Dave
>
>
> On Thu, Oct 2, 2014 at 10:59 AM, David Vezzani <>
> wrote:
>>
>> Dave,
>>
>> Thanks for your response.  I think it is important to know that there are
>> plans for retiring the PSP tool.  In creating our group management solution,
>> we are hoping to use as much code that is supported and is planned to be
>> supported in the future.
>>
>> Your suggestions for how to better understand PSP are much appreciated.
>>
>> That being said, what would take the place of PSP as the suggested tool
>> for provisioning groups to target LDAPs?
>>
>> Dave
>>
>> David Vezzani
>> (c) 209-756-9688
>> (o) 209-228-4516
>>
>>
>>
>>
>> On Oct 2, 2014, at 9:48 AM, David Langenberg <> wrote:
>>
>> Probably the best way to understand what that psp-resolver.xml is
>> controlling is to first understand Shibboleth and how its attribute-resolver
>> works. The PSP is using the Shibboleth Attribute Resolver to handle looking
>> up the provisioned information, group source information and also perform
>> necessary transformations to make the two systems (grouper and target)
>> comparable.
>>
>> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAddAttribute
>>
>> I really wouldn't try to generate SPML & feed it directly to the PSPs LDAP
>> Target class, though in theory it could work.  As for the source for
>> OpenSPML, the OpenSPML library upon which the PSP relies is no longer
>> maintained.  I managed to grab a copy of the source at one time and keep a
>> fork of it here:
>>
>> https://github.com/langedb/openspml
>>
>> This is yet another reason why the PSP is going to be retired soon.
>>
>> Dave
>>
>> On Thu, Oct 2, 2014 at 10:25 AM, David Vezzani <>
>> wrote:
>>>
>>> I’m still trying to understand what the PSP does exactly.  I’m running
>>> through the video tutorials and I’m not getting the same end result as
>>> Patel.  I figure I would be able to resolve the issue with some slight
>>> modifications to the PSP configuration files.  I admit that
>>> https://spaces.internet2.edu/display/Grouper/Grouper+Provisioning has
>>> definitely helped me get a better understanding of how PSP works, but I’m
>>> not finding the detail I need to understand with enough depth so that I
>>> actually know what I’m doing when I make changes to the PSP configuration.
>>>
>>> To start, I want to make sure I understand the big picture.
>>>
>>> PSP is used to provision groups with assigned members by generating SPML2
>>> xml packets that somehow get converted to LDIF which is presented to the
>>> target LDAP.  Is this a fair statement?
>>>
>>> I am currently looking for a SPML2 client I can use to test SPML2 packets
>>> with my target LDAP.  I see that Grouper comes packaged with a JAR that
>>> provides org.openspml.v2.client.Spml2Client , but I haven’t found the source
>>> or documentation yet on how to use it.  I already verified it is different
>>> from a SpmlClient class I found on Oracle’s site.  I am hoping that being
>>> somewhat familiar with SPML2 will increase my knowledge base so I can better
>>> understand the PSP configuration files, especially the psp-resolver.xml
>>> file.
>>>
>>> David Vezzani
>>> (c) 209-756-9688
>>> (o) 209-228-4516
>>>
>>>
>>>
>>>
>>
>>
>>
>> --
>> David Langenberg
>> Identity & Access Management
>> The University of Chicago
>>
>>
>
>
>
> --
> David Langenberg
> Identity & Access Management
> The University of Chicago



--
David Langenberg
Identity & Access Management
The University of Chicago



Archive powered by MHonArc 2.6.16.

Top of Page