<attribute xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
<ref>ri:members</ref>
<fetchStrategy>explicit</fetchStrategy>
</attribute>
Grouper Connector (JDBC)
Identity connector for Grouper. Using JDBC to connect to a PostgreSQL database.
Functionality | stable |
Development status | active (actively developed and maintained) |
Support status | supportable |
Origin | Evolveum |
Support provided by | Evolveum |
Target systems | Grouper (Internet2 et al.) |
Protocol | JDBC |
Source code | https://github.com/Evolveum/connector-grouper |
Connector for Grouper access management system.
It supports group and group membership management, management of the "Subject" object type and also capabilities to read additional extension attributes of all object types. PostgreSQL database JDBX driver is a part of the connector distribution.
Grouper is exporting data to intermediary PostgreSQL database using midPoint provisioner from where this connector reads all the data. This architecture uses the grouper provisioning capabilities which are optimized for performance and throughput.
Capabilities and Features
Schema |
YES |
Group and Subject object type. Extension schema is fetched dynamically during configuration discovery. Or can be extended as configuration property. |
---|---|---|
Provisioning |
NO |
This connector was designed as read-only. |
Live Synchronization |
Yes |
Using last modification timestamps. Supports "Group", "Subject" and "All" object classes. |
Password |
NO |
Not needed for group membership management. |
Activation |
NO |
|
Filtering changes |
NO |
|
Paging support |
YES |
Pagination using the Private Key which represents object ID |
Native attribute names |
YES |
History
Version | Origin | Binary | Sources | Build Date | Framework version | Bundled with midPoint | Description |
---|---|---|---|---|---|---|---|
1.0.0.0 |
Evolveum |
Sep 11 2023 |
Stable version |
No |
Change in groupId in comparison to previous SNAPSHOT versions to comply to polygon standards |
||
1.0.1.0 |
Evolveum |
Oct 19 2023 |
Stable version |
No |
Bug fix related to issues in reconciliation and some association cases |
||
1.1.1.0 |
Evolveum |
Nov 8 2023 |
Stable version |
No |
Default database name changed to contain prefix 'gp', otherwise custom prefix cna be added via 'Table Prefix' configuration parameter. |
||
1.2.0.0 |
Evolveum |
July 24 2024 |
Stable version |
No |
Default database name changed to contain prefix 'gr', performance improvements were made. |
Interoperability
-
ConnId 1.5.1.3 (Evolveum release), which is part of midPoint 4.6.
-
Any supported PostgreSQL version (tested with PostgreSQL 15.2).
-
Grouper version 4.7.0 or higher.
Support
This connector is supportable by Evolveum.
Evolveum can provide support for this connector. However, support for this connector is not provided on a routine basis and some special arrangements and customizations may be needed. Please contact Evolveum representative for the details.
Configuration parameters
Parameter | Note | Example | Configuration discovery |
---|---|---|---|
Host |
Hostname / ulr pointing to the grouper database. |
127.0.0.1 |
No |
TCP Port |
Enter the port number for the connection to the database server. |
5432 |
No |
Database name |
Name of the database schema containing grouper object tables. |
grouper |
No |
User Name |
Name of the management account on the database server with permissions to the grouper schema. |
midpoint |
No |
Validation Timeout |
The number of seconds which represent the limit for connection validation. Setting this parameter to '0' means indefinite.[default value is 10] |
15 |
Yes, configuration discovery will show default value with the possibility of override. |
Password |
Password to the management account. |
5ecr3t |
No |
Subject Extensions |
Extension Attributes for Subject Object Type. Multivalued property. |
Foo, Baar |
Yes, Configuration discovery will offer possible values. |
Group Extensions |
Extension Attributes for Group Object Type |
Foo, Baar |
Yes , Configuration discovery will offer possible values. |
Exclude Objects marked as Deleted |
This option if set to 'True' excludes the objects marked as Deleted from search results. If set to 'False' this could cause the IAM to misinterpret the object as 'not deleted' in the event of a reconciliation. |
True |
Yes , Configuration discovery will offer possible values. |
Enable ID based Paging |
Id based pagination using the Private Key representing object ID for pagination. [default value is false] |
True |
Yes , Configuration discovery will offer possible values. |
Maximum Page Size |
The maximum number of records which will be returned by any connector operation, after which is processed a next set of records will be requested from the resource for further processing. [Used when 'Enable ID based Paging' is set to true] |
True |
Yes , Configuration discovery will offer possible values. |
Include in 'ALL' searches |
Define a set of attributes which will be explicitly fetched in an 'ALL' object class search. This serves as an workaround for the lack of "ATTRS_TO_GET" operation options values. (Please see 'notes' and also please see Attributes To Get ) |
members, memberOf |
No |
Resource Examples
LiveSync Task Examples
-
The liveSync task is processing both Groups and Subject object at the same time. That will prevent race condition types of conflicts when a new group is created and populated with users. In that case it’s important to process the group before the subjects (and their memberships).
-
The LiveSync task which synchronizes both object classes requires 'Include in ALL searches' configuration parameter contains values 'members' and 'memberOf'. See MID-8996 for details.
Notes
Connector requires PostgreSQL based intermediary database. Grouper might use arbitrary database engine.
Connector supports pagination and a 'max page size' configuration parameter. This will divide the query into multiple ones with outputs containing smaller number of rows (based on page size or the 'max page size' configuration parameter). There still can be the possibility of higher number of rows returned in case of an object having a large number of members or group memberships or a large number of auxiliary attributes.
With 'Exclude Objects marked as Deleted' set to true the rows marked as 'deleted' are handled as not present. In case of rows present in the 'main' object tables, the objects will be handled as deleted. In case of rows present in the membership or auxiliary attributes tables the lack of the row will mean a removal of parameter value.
The "Configuration discovery" operation among other functions will provide you with a list of possible names of auxiliary attributes which if selected will be incorporated in the attribute schema. This list of attributes can be changed in the resource configuration, after which the schema should be 'regenerated' ('refreshed').
The "members" and "member_of" ("virtual" attributes) are not retrieved by default, the attribute configuration in the IAM has to explicitly request these attributes. The same applies to attributes originating from other tables as the main ones (Tables referred to as the main tables: "gr_mp_subjects" and "gr_mp_groups"). To achieve this the mappings have to be augmented by the parameter "fetchStrategy" set to the value "explicit".
Migration from legacy Grouper connector.
Following steps will guide you though migration from legacy Grouper Connector.
Following migration guide is based on the examples of InCommon midPoint and Grouper integration demo. You might need to attune it to your environment. |
-
Deploy the new Grouper connector and configure basic settings for the connector. Do not configure mappings of synchronization yet. Goal is to successfully test the resource and be able to list accounts and entitlements.
-
Configure correlation for both accounts and entitlements (groups). Make sure the accounts are correlated to existing users and entitlements are correlated to corresponding objects (typically Org. units). You can verify the correlation configuration with Simulation. See also correlation scenario tutorial.
-
Now you can add attributes mappings and synchronization configuration.
-
Configure association including inbound mapping from association. Set the same subtype assignments as it was used in the legacy connector (typically "grouper-group")
-
Stop synchronization tasks for the legacy Grouper resource. Typically that will be reconciliation and asynchronous update tasks.
-
Remove mapping from user object template that was executing shadow query to create assignments of users to orgs that are representing groups. Also stop Group Scavenger task.
-
Reconcile groups using the new Grouper resource. When the reconciliation tasks finishes reconcile users.
-
Next steps is to remove assignments with grouper-group subtype that shouldn’t exist. Deploy cleanup mapping to the users object template. You will find it in examples section above. It will be applied later by recomputation of all users.
-
Configure liveSync and periodic reconciliation for the new Grouper resource. Now the new resource is fully operational.
-
Decommission the old Grouper resource and related settings. Remove reconciliation task, asynchronous update task, Grouper Scavenger task and functional library with functions for legacy Grouper connector. Remove all shadows for the old Grouper resource and remove the resource itself.
-
Recompute all users. That will apply the user template mapping for cleaning up of grouper-group assignment and also it will clean up account links from users to the removed Grouper resource.
See Also
Example of midPoint and Grouper integration is available in InCommon TAP Workbench. You can see the resource configuration example there or find other related objects in the same repository.