Transcript Introduction to Grouper

Grouper Training
Developers and Architects
Integration
Chris Hyzer
Internet2
University of Pennsylvania
This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
Contents
•
•
•
•
•
•
Introduction
Groups vs. permissions
LDAP vs. WS vs. SAML entitlements
Cached vs. live calls
Grouper API vs. local representation
Other features
2
Introduction to Integration
3
Groups vs. permissions
• The application can use groups or
permissions for authorization
• Groups are course-grained, and
permissions are mapped or hard-coded
• Permissions are more flexible and can be
changed at runtime if stored centrally
4
Groups for authorization
Grouper
Student,
Faculty,
Admin
Application
if user.hasGroup("Student")
show courses menu
if user.hasGroup("Faculty")
show reports menu
if user.hasGroup("Admin")
show audit menu
Main
Screen
5
Permissions for authorization
Grouper
show-coursesMenu
show-reportsMenu
show-auditMenu
if user.hasPermission("show", "coursesMenu")
show courses menu
if user.hasPermission("show", "reportsMenu")
show reports menu
if user.hasPermission("show", "auditMenu")
show audit menu
Application
Main
Screen
6
Permissions for authorization
(continued)
• Note, if using permissions, assignments can
still be made by group/role, which might be
loaded
• i.e. in this case, the application might have
roles: Student, Faculty, Admin
• Those roles might include the groups which
are loaded from source systems
• The roles have permissions assigned to them
• When needed, permissions can be assigned
directly to users
7
LDAP vs. WS vs. entitlements
• The application could talk to LDAP
• If required data is in LDAP (e.g. are
permissions in LDAP)
• If package is LDAP enabled
• Or to Grouper WS
• If availability requirements allow
• If custom application or connector can be
written or data sync'ed
8
LDAP vs. WS vs. entitlements
(continued)
• Application can use entitlements
• If data is needed for logged-in users
• If number of assignments fits
• SAML enabled applications or cloud
services
9
LDAP applications
Grouper
LDAP
Application
WS applications
Grouper
Application
SAML entitlements
Grouper
Shib
Application
10
Cached vs. live calls
• Applications can make fewer calls and cache
the results
• Can cache periodically, or on events (like login)
• Notifications can refresh cache
• Can store the cache in memory, DB, disk
• Live calls
• More calls, less caching logic
• No propagation delays
• Dependent on Grouper/LDAP for uptime
11
Grouper API vs. local representation
• Custom applications could use the
Grouper API
• Packages might have a groups or
permissions store with no adapter
• Grouper could provision into that
representation. Might use real-time
notifications
12
Other features
• Applications might take advantage of:
•
•
•
•
•
•
Lite UI
External users
Permission limits
Attribute framework
Person picker
etc
13
Quiz
• Click on the quiz link in the video
description to reinforce your knowledge of
this topic
14
Thanks!
Further information:
•
Infosheets, mailing lists, wiki, downloads, etc.:
www.internet2.edu/grouper
•
Grouper demo server:
grouperdemo.internet2.edu/
•
Grouper Online Training Home:
spaces.internet2.edu/x/IIGfAQ
This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
15