Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Notes from Grouper BOF at 2015 Global Summit, 4/30/2015

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Notes from Grouper BOF at 2015 Global Summit, 4/30/2015


Chronological Thread 
  • From: Emily Eisbruch <>
  • To: "" <>, "()" <>
  • Subject: [grouper-users] Notes from Grouper BOF at 2015 Global Summit, 4/30/2015
  • Date: Tue, 5 May 2015 19:12:12 +0000
  • Accept-language: en-US
  • Authentication-results: internet2.edu; dkim=none (message not signed) header.d=none;

Notes from Grouper BOF at 2015 Global Summit, 4/30/2015


Tom Barton welcomed the group


Topics of interest from the attendees:

  • Getting Started

  • Federated Groups

  • Provisioning  / Messaging

  • LDAP synchronization

  • Integrating Grouper w Duo Admin Console

  • evolution away from Tomcat 6 / Java 6 dependency


Getting Started with Grouper


  • U of Arkansas is are looking at increasing focus on IdM.  

  • Access control is a big part; looking at Grouper, want to establish centralized roles


  • University of Maryland Baltimore County is looking at Grouper

  • currently they have many individual systems w access rights

  • Using centralized groups could add efficiency

  • Looking at TIER and want to be set with Grouper as a lead in to TIER



  • Warren from U. Florida: it would be great if Grouper had some templates correlated with common use cases


  • Allow a campus to easily implement a small use case to get successful

  • how to do the 5-6 things

  • How to get stuff in and get stuff out of Grouper

  • Too much reinventing has to happen now


  • CMU would like to see

    • a UI to help in Grouper configuration

    • A UI for adding a subject source or turning a feature on and off


  • Notre Dame is looking at migrating to Grouper from an existing group management system

  • Need advice on how to migrate


Federated Groups


  • How can federated groups be useful?

  • Could the community suggest a common naming scheme that's useful to all institutions?

  • What are the use cases?

  • Example: Researchers at multiple universities need a group for a Virtual Organization (VO)

    • someone at each institution manages a group with a predefined name

    • using this group name will help ease the access process to the VO


ScottK from LIGO:

  • LIGO not a good example for this approach, since LIGO controls our own groups

  • Use case could be between LIGO and other astronomy groups; union of LIGO scientists

  • this should be an international conversation


  • Albert: UCLA is provisioning PSP

  • does full transformation the way Shib attribute release does

  • Can slice and dice suitable for the target

  • UCLA will contribute this to the Grouper wiki to benefit the community

  • UCLA has a parallel use case with Net+ cloud services


  • TomB: a group membership can have an access control outcome embodied by a token, instead of being in group

  • I can log in with a token

  • managing groups in a federated context has challenges

  • what does federated groups really address?



  • other use case is you have the role

  • according to the context, such as Amazon web service

  • you have admin role for this security group

  • that's more of a direct assertion of yes you have access

  • Technically the same thing

  • separating out helps in terms of naming


  • Need for locally managed groups consisting of remote principles

  • this use case can be handled in Grouper via External Subjects


  • Tom: Attribute release can be an issue

  • sometimes you can't get to service because institution will not release EPPN

  • Don't want to overload the attribute release issue with need to release what groups someone belongs to; Look for other ways to deal with it

  • suggestion: have an attribute called “status”



Post PSP Provisioning

  • See description on the Grouper wiki

  • Grouper tried the PSP provisioning approach using SPML, but found it had limitations

  • PSP will stay, but the Grouper project won't enhance it, limited maintenance

  • The Grouper provisioning approach moving forward will be message based

  • We will support incremental provisioning by reading events off the message queue

  • Grouper will support bulk reconciliation
  • hope sites can continue using their own messaging

  • Need to be able to provision to LDAP and AD out of the box

  • There will be a limited internal message internal substrate within Grouper to get provisioning messages to LDAP and AD


Q: Will there be listeners?

A: yes


  • UCLA is interested in bidirectional sync

  • Doing Shib integration with a medical center.

  • for connecting w independent orgs, like the med center, auditing on Groups is helpful.


Mark your calendar:

June 10, 2015 at 2pm ET

IAM Online to focus on Grouper deployment stories




Emily Eisbruch, Work Group Lead, Trust and Identity
Internet2

office: +1-734-352-4996 | mobile +1-734-730-5749



  • [grouper-users] Notes from Grouper BOF at 2015 Global Summit, 4/30/2015, Emily Eisbruch, 05/05/2015

Archive powered by MHonArc 2.6.16.

Top of Page