Grouper Connector (JDBC)

Last modified 20 Sep 2023 15:33 +02:00

Identity connector for Grouper. Using JDBC to connect to a PostgreSQL database.

Development statusactive (actively developed and maintained)
Support statussupportable
Support provided byEvolveum
Target systemsGrouper (Internet2 et al.)
Source code

Connector for Grouper access management system.

It supports group and group membership management, management of the "Subject" object type and also capabilities to read additional extension attributes of all object types. PostgreSQL database JDBX driver is a part of the connector distribution.

Grouper is exporting data to intermediary PostgreSQL database using midPoint provisioner from where this connector reads all the data. This architecture uses the grouper provisioning capabilities which are optimized for performance and throughput.

Capabilities and Features



Group and Subject object type. Extension schema is fetched dynamically during configuration discovery. Or can be extended as configuration property.



This connector was designed as read-only.

Live Synchronization


Using last modification timestamps. Supports "Group", "Subject" and "All" object classes.



Not needed for group membership management.



Filtering changes


Paging support


Pagination using the Private Key which represents object ID

Native attribute names



Version Origin Binary Sources Build Date Framework version Bundled with midPoint Description


download jar

Evolveum git repository (master)

Sep 11 2023

Stable version


Change in groupId in comparison to previous SNAPSHOT versions to comply to polygon standards


  • ConnId (Evolveum release), which is part of midPoint 4.6.

  • Any supported PostgreSQL version (tested with PostgreSQL 15.2)

  • TODO: Grouper version


This connector is supportable by Evolveum.

Evolveum can provide support for this connector. However, support for this connector is not provided on a routine basis and some special arrangements and customizations may be needed. Please contact Evolveum representative for the details.

Configuration parameters

Parameter Note Example Configuration discovery


Hostname / ulr pointing to the grouper database.


TCP Port

Enter the port number for the connection to the database server.



Database name

Name of the database schema containing grouper object tables.



User Name

Name of the management account on the database server with permissions to the grouper schema.



Validation Timeout

The number of seconds which represent the limit for connection validation. Setting this parameter to '0' means indefinite.[default value is 10]


Yes, configuration discovery will show default value with the possibility of override.


Password to the management account.



Subject Extensions

Extension Attributes for Subject Object Type. Multivalued property.

Foo, Baar

Yes, Configuration discovery will offer possible values.

Group Extensions

Extension Attributes for Group Object Type

Foo, Baar

Yes , Configuration discovery will offer possible values.

Exclude Objects marked as Deleted

This option if set to 'True' excludes the objects marked as Deleted from search results. If set to 'False' this could cause the IAM to misinterpret the object as 'not deleted' in the event of a reconciliation.


Yes , Configuration discovery will offer possible values.

Enable ID based Paging

Id based pagination using the Private Key representing object ID for pagination. [default value is false]


Yes , Configuration discovery will offer possible values.

Maximum Page Size

The maximum number of records which will be returned by any connector operation, after which is processed a next set of records will be requested from the resource for further processing. [Used when 'Enable ID based Paging' is set to true]


Yes , Configuration discovery will offer possible values.

Include in 'ALL' searches

Define a set of attributes which will be explicitly fetched in an 'ALL' object class search. This serves as an workaround for the lack of "ATTRS_TO_GET" operation options values. (Please see 'notes' and also please see Attributes To Get )
LiveSync task that work with all object classes requires this parameter to contain values 'members' and 'memberOf'.

members, memberOf


Resource Examples

LiveSync Task Examples

  • LiveSync Task Sample

  • The liveSync task is processing both Groups and Subject object at the same time. That will prevent race condition types of conflicts when a new group is created and populated with users. In that case it’s important to process the group before the subjects (and their memberships).

  • The LiveSync task which synchronizes both object classes requires 'Include in ALL searches' configuration parameter contains values 'members' and 'memberOf'. See MID-8996 for details.


Connector requires PostgreSQL based intermediary database. Grouper might use arbitrary database engine.

Connector supports pagination and a 'max page size' configuration parameter. This will divide the query into multiple ones with outputs containing smaller number of rows (based on page size or the 'max page size' configuration parameter). There still can be the possibility of higher number of rows returned in case of an object having a large number of members or group memberships or a large number of auxiliary attributes.

With 'Exclude Objects marked as Deleted' set to true the rows marked as 'deleted' are handled as not present. In case of rows present in the 'main' object tables, the objects will be handled as deleted. In case of rows present in the membership or auxiliary attributes tables the lack of the row will mean a removal of parameter value.

The "Configuration discovery" operation among other functions will provide you with a list of possible names of auxiliary attributes which if selected will be incorporated in the attribute schema. This list of attributes can be changed in the resource configuration, after which the schema should be 'regenerated' ('refreshed').

The "members" and "member_of" ("virtual" attributes) are not retrieved by default, the attribute configuration in the IAM has to explicitly request these attributes. The same applies to attributes originating from other tables as the main ones (Tables referred to as the main tables: "gr_mp_subjects" and "gr_mp_groups").

See Also