Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Grouper 2.4 and office365-and-azure-ad-grouper-provisioner

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Grouper 2.4 and office365-and-azure-ad-grouper-provisioner


Chronological Thread 
  • From: "Redman, Chad" <>
  • To: "Pete St. Onge" <>, "" <>
  • Subject: RE: [grouper-users] Grouper 2.4 and office365-and-azure-ad-grouper-provisioner
  • Date: Wed, 16 Oct 2019 20:05:08 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=unc.edu; dmarc=pass action=none header.from=unc.edu; dkim=pass header.d=unc.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OaMLy3V10Oohhv/U/CYl6Rzvi3AX0oxaefHdZYCBt4U=; b=MVG4yv2k8UU2piojZkUE7GZdLgQnixEngdzKjLXKY9pyEYT0n5BUv33cSO6XE3/DnGVcUjYiw6fSHpf5OtRk7u3q3L0bQtYPgRvG14hidaSf3y+vNL/L+ogSq0yknCoLUp/PHYq1LISNai0kPI+hx9H0lCL0cUy6AZqShgL9niJxW0z7roQDFeWGjFUjBMnUeD5isiwwk2VSftsjtIxZrq/RVeoABFsvGYbyfYxDkyknylEqPnjY4Q3G+gAnxyw8IEAEUuOeXYCLMx3g18pCVuIHHqrRousldhVNBvf4ALgpBmz+MB4dod/KQk6fWOO1iAnI0tIT9C2t/1GjtlmqVQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nOpS5fL7gXUvi5OUmqKFiRUaupbnanGP5zXbSIc3Iy1RgWYjtJniTyTV57L2AxY6dtIWL6WOfRV/cIZM6E1vmcyYybq0u3G7Cf0a8czbXKNIHMNP+/M2WIt68LXHc2a+RDftqKqxzPR4la/u5GILVvUQMl7F0svFASqON+bJXH/B2T2uPgtqk5r+ESIXwBsFlXS5VixUOdAhCtBodx+McEvaA9kzX1R9je9IdfAONVhq/JV3frVmGR6HEhV9dSZvkh9hBnZtCnmnngZBTZkC5Jf5IgO9Xd3tV2NW66QwYZQePu6V8YzNcUgdhGYO5HMVGo6xV/tYUfqoAmpH7pGaLA==

Hi Pete,

 

We took the original Unicon source code and modified it to a specific application need. You can see the write up at https://spaces.at.internet2.edu/display/Grouper/University+of+North+Carolina+-+Course+Groups+for+Office+365 . To summarize our customizations:

 

·         Allow an HTTP proxy configuration (our Grouper Loader server did not allow direct outgoing connections);

·         Add more configuration parameters: subject source, subject attribute, AD domain, group name EL _expression_, display name EL _expression_ (the EL expressions were used to craft environment specific names, as we had multiple non-production environments targeting the same testing O365 tenant);

·         The changelog consumer syncs either the O365 members or owners, depending on the group name;

·         The O365 group name is based on the parent folder of the group;

·         Removal of the sync attribute flag does not trigger deprovisioning of the O365 group, but rather removes the sync capability (this is controlled by the user through the web interface)

·         Adding the sync attribute flag performs a full sync with O365, in case the attribute was added to an existing group;

·         Upon group creation, along with setting an attribute for the O365 group guid, the consumer also stores the tenantId and the group name, which can be used to construct URL links to the group (outside of Sharepoint, the group’s guid is surprisingly not utilized in web links).

 

 

So we had some extensive changes to the functionality, by having a folder associated with O365, and then a member and owner groups that sync separately.

 

The REST client built into the code worked fine, as did the authentication logic, without any changes needed. So it may just work, depending on how your objects are set up. It does make some assumptions on what principal IDs are, so we needed to customize in order to construct the azure identity based on a Grouper subject attribute. The group lifecycle also works in a specific way -- it will create or deprovision the group based on the changelog consumer attribute, which didn't fit our needs.

 

-Chad

 

 

 

-----Original Message-----
From: [mailto:] On Behalf Of Pete St. Onge
Sent: Wednesday, October 16, 2019 3:35 PM
To:
Subject: [grouper-users] Grouper 2.4 and office365-and-azure-ad-grouper-provisioner

 

Hello all,

 

We're in the process of upgrading our existing Grouper implementation to

2.4, and we have it running nicely in our non-prod environment. There

are a lot of really useful new features that we look forward to putting

to good use going forward, kudos to all involved in building Grouper!

 

We are also looking at what would be involved to get connected to Azure

with the existing office365-and-azure-ad-grouper-provisioner and if

anyone has this set up this with 2.4.

 

Thanks and best, -- pete

 

--

Peter St. Onge                          

Information Security Architect                     (416)978-5030

Business Continuity and Communications

Information + Technology Services          University of Toronto




Archive powered by MHonArc 2.6.19.

Top of Page