Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Grouper Duo integration

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Grouper Duo integration


Chronological Thread 
  • From: David Langenberg <>
  • To: Chris Hyzer <>
  • Cc: Gouper Users <>
  • Subject: Re: [grouper-users] Grouper Duo integration
  • Date: Wed, 18 Nov 2015 16:40:35 +0000
  • Accept-language: en-US

Hi Chris,

Would this integration also be able to remove a user from Duo (delete the user & all of their devices) if the user is no longer in any of the groups it is watching?

Thanks

Dave

On Nov 18, 2015, at 8:41 AM, Chris Hyzer <> wrote:

I wrote a change log consumer to sync groups from Grouper to Duo.  Let me know if you are interested in using this.  Currently it is in v2.1 though I will be merging it forward to v2.2+ shortly.  Let me know if you are interested in using this.
 
 

Grouper has a change log consumer which can sync a folder in grouper and use the extensions of groups in the folder as group names in Duo.  It will also sync the group description to Duo. There is a daemon which will run periodically for a full refresh (nightly?).  The change log consumer will sync changed real time.

Why use this?

You can have groups in Duo which are required for integrations.  This is another layer of authorization and deprovisioning for your systems.  For instance, you could have a group for your IT department, and require that group for your IT dept VPN, RDP, SSH.  Someone not in that group would not be able to use those resources at the Duo level.

Configure

grouper-loader.properties

# these are properties to add to grouper-loader.properties
# group duo admin domain name credentials
grouperDuo.adminIntegrationKey =
grouperDuo.adminSecretKey =
grouperDuo.adminDomainName = 
 
# put groups in here which go to duo, the name in duo will be the extension here
grouperDuo.folder.name.withDuoGroups = a:b:c
 
 
# put the comma separated list of sources to send to duo
grouperDuo.sourcesForSubjects = someSource
 
 
# either have id for subject id or an attribute for the duo username (e.g. netId)
grouperDuo.subjectAttributeForDuoUsername = id
 
 
#quartz cron-like schedule for daily duo full sync, the default is 7am every day: 0 0 5 * * ?
#blank for dont schedule
grouperDuo.daemonCron = 0 0 5 * * ?
 
 
# set to true to not run daemons here
grouperDuo.dontRunDaemonsHere = false
 
 
# if this is run in a cluster and should only run on certain nodes, set the name(s) here (from hostname command)
grouperDuo.runOnlyOnServerNames =
 
 
# is grouper the true system of record, delete duo groups which dont exist in grouper
grouperDuo.deleteGroupsInDuoWhichArentInGrouper = true
 
 
# configure the duo change log consumer
changeLog.consumer.duo.class = edu.internet2.middleware.grouperDuo.GrouperDuoChangeLogConsumer
 
 
#the quartz cron is a cron-like string.  it defaults to every minute on the minute (since the temp to change log job runs
#at 10 seconds to each minute).  it defaults to this: 0 * * * * ?
#though it will stagger each one by 2 seconds
changeLog.consumer.duo.quartzCron =
 
 
Thanks,
Chris


--
David Langenberg
Identity & Access Management Architect
The University of Chicago




Archive powered by MHonArc 2.6.16.

Top of Page