Major Improvements to the Grouper Provisioning Framework
By Chris Hyzer, University of Pennsylvania
It was great seeing many of you at the Internet2 Technology Exchange (TechEX) in Denver in December 2022. We love talking with our community about identity management, Grouper, and everything else too. Shout out to the team at the University of Michigan who presented a terrific TechEX session on Wolverine Versus Grouper inclusive of their campus case study and two cool images. Slides from the Grouper BOF held at TechEx, featuring an overview of our roadmap, are available for your review.
Our roadmap is based on community input. Grouper, the access management component of the InCommon Trusted Access Platform, evolves to meet the community’s needs. In the past two years, a redesign of the way Grouper handles provisioning has been a major focus.
“We were early testing partners and adopters of Grouper’s new provisioning framework, and we have seen major benefits. For example, the new provisioning framework allows us to send large groups, in an efficient manner, to Azure. This is a process that caused serious problems when we tried to send them previously using Azure AD Connect.“
—Gail Lift, ITS Information Assurance Identity and Access Management team, University of Michigan
The Grouper provisioning framework, ready to use with Grouper v2.6 and above, revolutionizes how data flows between Grouper and external systems, providing a highly flexible and customizable approach.
This blog picks up where the January 2021 blog on the Provisioning Framework left off, so you might want to start there and also see the Grouper provisioning glossary for terms.
We are pleased to announce that we now have implementations for all legacy provisioners written and tested in the new provisioning framework. Using the new provisioning framework, you can now provision to Azure, Box, Duo, Duo roles, Google, SCIM v2, LDAP, Messaging, MidPoint, Remedy, and SQL. We will add more as needed. Need one?
The heavy lifting for the implementation of the provisioning framework is in Grouper, shared among all provisioners. The only requirement for creating a custom provisioner at your institution is to implement the logic to select / insert / update / delete objects from the target system. We have created an example of this, which could be as lean as creating one source file. If you want your custom provisioner to be more sophisticated, you can implement more logic of integration points, and there is an example of that as well, including a “start with,” and a test harness. Of course, if you are using a commonly used target, we can add an implementation inside of the Grouper product. If you have a local application that you need provisioning for, and you can tolerate Java without running away, implement a custom provisioner! We can help you with that process.
New and Exciting Provisioning Features
The number of features in the provisioning framework has been constantly increasing. But the acceleration of increase is decreasing and becoming stable. Here are just a few highlights:
- You can retrieve extra attributes from a SQL or LDAP source if the data you are provisioning does not natively exist in Grouper. If the amount of data in the target system is a lot greater than the number of objects that Grouper is responsible for, you do not need to select all target data in full sync.
- Performance is important. If the target has throttling, Grouper will automatically back off to accommodate the requirements. There can be multiple search and matching attributes, and they can be loosely coupled. (If you did not click on the glossary, you might be lost right now).
- Two roles for administering provisioning are viewers and assigners, so the provisioner management can be delegated to the right teams.
- Failsafes have been enhanced to make sure that target data is not deleted accidentally.
- Improved error handling will help diagnose data problems and ensure that retries will make the target correct when it is possible. Grouper can ignore errors that you expect.
- Provisioner logs are temporarily stored in the Grouper database, so they can be easily retrieved via the UI. Am I the only one who has issues sifting through AWS container logs? Unresolvable and deleted subjects can be handled in the target, based on configuration.
- Since the provisioning configuration is more complex due to increased features, the screen to set up a provisioner has been reorganized and split up into sections, so it is easier to use. In addition, there is a pre-configuration “start with” to easily set up common patterns. Need it to be easier than that? Let us know what is confusing or difficult, and we can iterate on it!
Grouper Versioning Is Changing!
The Grouper development team is wrapping up work on provisioning and will rename v2.6 to v4.0 since the Grouper project is transitioning to a versioning method similar to semantic versioning. At that point, v4.0 will be the non-enhancement version of Grouper. This is an easy upgrade from v2.6 to v4.0. The old and new provisioners co-exist in v4.0, and there will be a migration path for the new provisioners. Old-style provisioners are removed from v5.0 of Grouper (enhancement version) and forward. Normally the upgrade from v2.6 (enhancement version) to v4.0 (stable version) would be seamless, but we need to upgrade Java and switch from Tomee to Tomcat for security reasons. Baby steps to the ideal state.
New Features in Grouper v5.0
Grouper v5.0 is focused on container changes and Attribute Based Access Control (ABAC). The container changes involve running Grouper in a single process container by default with Tomcat as the only process. Of course, your sub-image can add processes as needed (e.g. sshd, Apache, shibd, etc). Since it is possible and recommended to run authentication layers, such as OIDC / SAML / CAS in v5.0, without other processes, you can streamline your container and run things the “Docker way.” The operating system is changed to Rocky Linux and will be native multi-platform. There are other improvements as well.
ABAC will revolutionize how authorizations are stored in Grouper. Cross-products of memberships will not be required for complex data structures, and policy scripts can be delegated to non-admins. For example, central admins will not need to write as many loader queries. Get excited about ABAC, so you can be like everyone else.
To Learn More
See the documentation on the Grouper Provisioning Framework. We invite your input and feedback. We appreciate all our community partners to date who have provided use cases and testing.
Join us for Grouper Training, March 7 -10, 2023
Online Grouper training is a great opportunity to learn about Grouper, including the Grouper Provisioning Framework. This training is useful for those new or experienced with Grouper. Please register and join us!
Thanks! Chris Hyzer, Grouper lead