1. Grouper Training Developers and Architects Integration Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.

2. 2 Contents Introduction Groups vs. permissions LDAP vs. WS vs. SAML entitlements Cached vs. live calls Grouper API vs. local representation Other features

3. 3 Introduction to Integration

4. 4 Groups vs. permissions The application can use groups or permissions for authorization Groups are course-grained, and permissions are mapped or hard-coded Permissions are more flexible and can be changed at runtime if stored centrally

5. 5 Groups for authorization GrouperApplication Student, Faculty, Admin Main Screen if user.hasGroup("Student") show courses menu if user.hasGroup("Faculty") show reports menu if user.hasGroup("Admin") show audit menu

6. 6 Permissions for authorization GrouperApplication show-coursesMenu show-reportsMenu show-auditMenu Main Screen if user.hasPermission("show", "coursesMenu") show courses menu if user.hasPermission("show", "reportsMenu") show reports menu if user.hasPermission("show", "auditMenu") show audit menu

7. 7 Permissions for authorization (continued) Note, if using permissions, assignments can still be made by group/role, which might be loaded i.e. in this case, the application might have roles: Student, Faculty, Admin Those roles might include the groups which are loaded from source systems The roles have permissions assigned to them When needed, permissions can be assigned directly to users

8. 8 LDAP vs. WS vs. entitlements The application could talk to LDAP If required data is in LDAP (e.g. are permissions in LDAP) If package is LDAP enabled Or to Grouper WS If availability requirements allow If custom application or connector can be written or data sync'ed

9. 9 LDAP vs. WS vs. entitlements (continued) Application can use entitlements If data is needed for logged-in users If number of assignments fits SAML enabled applications or cloud services

10. 10 LDAP applications GrouperApplicationLDAP WS applications GrouperApplication WS applications Grouper SAML entitlements GrouperApplicationGrouper Shib

11. 11 Cached vs. live calls Applications can make fewer calls and cache the results Can cache periodically, or on events (like login) Notifications can refresh cache Can store the cache in memory, DB, disk Live calls More calls, less caching logic No propagation delays Dependent on Grouper/LDAP for uptime

12. 12 Grouper API vs. local representation Custom applications could use the Grouper API Packages might have a groups or permissions store with no adapter Grouper could provision into that representation. Might use real-time notifications

13. 13 Other features Applications might take advantage of: Lite UI External users Permission limits Attribute framework Person picker etc

14. 14 Quiz Click on the quiz link in the video description to reinforce your knowledge of this topic

15. Thanks! Further information: Infosheets, mailing lists, wiki, downloads, etc.: www.internet2.edu/grouper www.internet2.edu/grouper Grouper demo server: grouperdemo.internet2.edu/ grouperdemo.internet2.edu/ Grouper Online Training Home: spaces.internet2.edu/x/IIGfAQ This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License. 15