News from the Grouper Project
By Chris Hyzer, University of Pennsylvania and Chair of the Grouper Project
We’re excited to share recent developments in the Grouper project. Grouper is an enterprise group and access management system that simplifies access management by letting you use the same group or role in many places in your organization. Grouper is part of the InCommon Trusted Access Platform, an identity and access management suite of software designed to integrate with existing systems.
As always, the Grouper development team has been listening to the community’s input and implementing requested improvements and new features. This blog post explains some recent enhancements to Grouper, including improved templates for greater ease of use, an expanded approach to provisioning data to other systems, and new options for authorization.
Grouper provisioning is solidifying as the primary provisioning approach in the Grouper v2.6 version. The new framework is designed to ensure Grouper can quickly, flexibly, consistently, and reliably provision authorization data to other Identity and Access Management systems.
An overview of the new Grouper Provisioning approach is here:
We have added a few video examples on the wiki based on user requirements, including Provisioning in LDAP with command logging, Provisioning in LDAP with troubleshooting, and Grouper Duo provisioning. If you have requirements and want an example let us know! The Azure provisioner has a lot of metadata built in so provisionable groups can be created in Azure with the correct settings. The SQL provisioner is rewritten to be more performant, flexible, and usable. We continue to add more features to the provisioning framework which can be used by all provisioning adapter implementations.
Want to lend a hand to the Grouper community? We need community members to use the new provisioning framework for new use cases or migrate existing provisioners to use it, and provide feedback to the Grouper team.
Grouper templates are ready for institutions to create custom forms and services to securely expose proprietary authorization logic. For example, templates can take inputs from a user or system and implement multiple Grouper tasks, manipulate data in external systems, and report data required for complex attestation. This allows Grouper users to accomplish multiple targeted tasks at once and save time while increasing consistency. Unlike command line GSH, templates are secure and audited so there is a paper trail and admins do not need access to Grouper shells. For more details, see the documentation.
New Authentication Approaches
Grouper is offering new authentication approaches in response to community use cases. You asked and the Grouper team responded! One new option includes trusted JWT for web services in Grouper 2.6.0, documented here. A trusted client can issue JWT’s for users as a more secure way to “act as” others for WS. This is an option for example if your institution has a UI in front of Grouper. Grouper WS can also use OIDC for client authentication. Users who use OIDC (e.g. from the Shibboleth IdP), can have their token passed to Grouper WS for secure authentication.
A new WS authentication option (in addition to current options) is self service JWT based on local entities. A Grouper user who has access to create objects in a folder, can create a local entity, and download a private key for that user (one-time download). If the local entity is added to the group allowed to call WS, it can use the private key to sign a JWT in the request and not need an institution credential. Users can sign in to the UI with OIDC for a lightweight authentication integration (upcoming in Grouper v2.6.*).
We are delighted with the community’s response to Grouper Training offered on Zoom over the past two years. Over 40 students successfully completed training in late September and there are three Grouper School sessions planned for 2022. See the Grouper School webpage for details. The curriculum has been revamped so the training containers are easier to use and a better example of how the Grouper Deployment Guide recommends data to be structured. There are new modules for provisioning and templates.
As of November 2021, the current live versions of Grouper are v2.5.x and v2.6.x. Grouper v2.5.x is the stable version with no enhancements, just important bugs and security fixes. Grouper v2.6.* includes enhancements, bugs and security fixes. Grouper v2.6.* development wrap-up is slated for 2022 Q1. v2.6.* should be used for the provisioning framework. By the time v2.6.* is done, all legacy provisioners are able to be migrated to the provisioning framework. v3.0.* will not have legacy provisioners (e.g. PSPNG) included anymore. v3.0.* will be a major rewrite with a focus on optimizing performance.
You are invited to review the Grouper Roadmap at this wiki page.
The Grouper team thanks our amazing Grouper community for your continued support and contributions. A lot of community conversation about Grouper happens these days on our InCommon-Grouper Slack channel. If you’d like to be added to this Slack channel, please use this form.