grouper training developers and architects integration chris hyzer internet2 university of...
Post on 17-Jan-2016
217 Views
Preview:
TRANSCRIPT
Grouper TrainingDevelopers and Architects
Integration
Chris Hyzer
Internet2
University of Pennsylvania
This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
2
Contents
• Introduction
• Groups vs. permissions
• LDAP vs. WS vs. SAML entitlements
• Cached vs. live calls
• Grouper API vs. local representation
• Other features
3
Introduction to Integration
4
Groups vs. permissions
• The application can use groups or permissions for authorization
• Groups are course-grained, and permissions are mapped or hard-coded
• Permissions are more flexible and can be changed at runtime if stored centrally
5
Groups for authorization
Grouper Application
Student,Faculty,Admin
MainScreen
if user.hasGroup("Student") show courses menuif user.hasGroup("Faculty") show reports menuif user.hasGroup("Admin") show audit menu
6
Permissions for authorization
Grouper Application
show-coursesMenushow-reportsMenushow-auditMenu
MainScreen
if user.hasPermission("show", "coursesMenu") show courses menuif user.hasPermission("show", "reportsMenu") show reports menuif user.hasPermission("show", "auditMenu") show audit menu
7
Permissions for authorization (continued)
• Note, if using permissions, assignments can still be made by group/role, which might be loaded
• i.e. in this case, the application might have roles: Student, Faculty, Admin
• Those roles might include the groups which are loaded from source systems
• The roles have permissions assigned to them• When needed, permissions can be assigned
directly to users
8
LDAP vs. WS vs. entitlements
• The application could talk to LDAP• If required data is in LDAP (e.g. are
permissions in LDAP)• If package is LDAP enabled
• Or to Grouper WS• If availability requirements allow• If custom application or connector can be
written or data sync'ed
9
LDAP vs. WS vs. entitlements (continued)
• Application can use entitlements• If data is needed for logged-in users• If number of assignments fits• SAML enabled applications or cloud
services
10
LDAP applications
Grouper ApplicationLDAP
WS applications
Grouper Application
WS applications
GrouperGrouperGrouperGrouperGrouperGrouperGrouperGrouper
SAML entitlements
Grouper ApplicationGrouperGrouperGrouperGrouperGrouperGrouperGrouperGrouper Shib
11
Cached vs. live calls
• Applications can make fewer calls and cache the results• Can cache periodically, or on events (like login)• Notifications can refresh cache• Can store the cache in memory, DB, disk
• Live calls• More calls, less caching logic• No propagation delays• Dependent on Grouper/LDAP for uptime
12
Grouper API vs. local representation
• Custom applications could use the Grouper API
• Packages might have a groups or permissions store with no adapter• Grouper could provision into that
representation. Might use real-time notifications
13
Other features
• Applications might take advantage of:• Lite UI• External users• Permission limits• Attribute framework• Person picker• etc
14
Quiz
• Click on the quiz link in the video description to reinforce your knowledge of this topic
Thanks!
Further information:
•Infosheets, mailing lists, wiki, downloads, etc.:www.internet2.edu/grouper
•Grouper demo server:grouperdemo.internet2.edu/
•Grouper Online Training Home:spaces.internet2.edu/x/IIGfAQ
This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License. 15
top related