Grouper Connector (JDBC)

Last modified 08 Feb 2024 16:58 +01:00

Identity connector for Grouper. Using JDBC to connect to a PostgreSQL database.

Development statusactive (actively developed and maintained)
Support statussupportable
Support provided byEvolveum
Target systemsGrouper (Internet2 et al.)
Source code

Connector for Grouper access management system.

It supports group and group membership management, management of the "Subject" object type and also capabilities to read additional extension attributes of all object types. PostgreSQL database JDBX driver is a part of the connector distribution.

Grouper is exporting data to intermediary PostgreSQL database using midPoint provisioner from where this connector reads all the data. This architecture uses the grouper provisioning capabilities which are optimized for performance and throughput.

Capabilities and Features



Group and Subject object type. Extension schema is fetched dynamically during configuration discovery. Or can be extended as configuration property.



This connector was designed as read-only.

Live Synchronization


Using last modification timestamps. Supports "Group", "Subject" and "All" object classes.



Not needed for group membership management.



Filtering changes


Paging support


Pagination using the Private Key which represents object ID

Native attribute names



Version Origin Binary Sources Build Date Framework version Bundled with midPoint Description


download jar

Evolveum git repository (master)

Sep 11 2023

Stable version


Change in groupId in comparison to previous SNAPSHOT versions to comply to polygon standards


download jar

Evolveum git repository (master)

Oct 19 2023

Stable version


Bug fix related to issues in reconciliation and some association cases


download jar

Evolveum git repository (master)

Nov 8 2023

Stable version


Default database name changed to contain prefix 'gp', otherwise custom prefix cna be added via 'Table Prefix' configuration parameter.


  • ConnId (Evolveum release), which is part of midPoint 4.6.

  • Any supported PostgreSQL version (tested with PostgreSQL 15.2).

  • Grouper version 4.7.0 or higher.


This connector is supportable by Evolveum.

Evolveum can provide support for this connector. However, support for this connector is not provided on a routine basis and some special arrangements and customizations may be needed. Please contact Evolveum representative for the details.

Configuration parameters

Parameter Note Example Configuration discovery


Hostname / ulr pointing to the grouper database.


TCP Port

Enter the port number for the connection to the database server.



Database name

Name of the database schema containing grouper object tables.



User Name

Name of the management account on the database server with permissions to the grouper schema.



Validation Timeout

The number of seconds which represent the limit for connection validation. Setting this parameter to '0' means indefinite.[default value is 10]


Yes, configuration discovery will show default value with the possibility of override.


Password to the management account.



Subject Extensions

Extension Attributes for Subject Object Type. Multivalued property.

Foo, Baar

Yes, Configuration discovery will offer possible values.

Group Extensions

Extension Attributes for Group Object Type

Foo, Baar

Yes , Configuration discovery will offer possible values.

Exclude Objects marked as Deleted

This option if set to 'True' excludes the objects marked as Deleted from search results. If set to 'False' this could cause the IAM to misinterpret the object as 'not deleted' in the event of a reconciliation.


Yes , Configuration discovery will offer possible values.

Enable ID based Paging

Id based pagination using the Private Key representing object ID for pagination. [default value is false]


Yes , Configuration discovery will offer possible values.

Maximum Page Size

The maximum number of records which will be returned by any connector operation, after which is processed a next set of records will be requested from the resource for further processing. [Used when 'Enable ID based Paging' is set to true]


Yes , Configuration discovery will offer possible values.

Include in 'ALL' searches

Define a set of attributes which will be explicitly fetched in an 'ALL' object class search. This serves as an workaround for the lack of "ATTRS_TO_GET" operation options values. (Please see 'notes' and also please see Attributes To Get )
LiveSync task that work with all object classes requires this parameter to contain values 'members' and 'memberOf'.

members, memberOf


Resource Examples

LiveSync Task Examples

  • LiveSync Task Sample

  • The liveSync task is processing both Groups and Subject object at the same time. That will prevent race condition types of conflicts when a new group is created and populated with users. In that case it’s important to process the group before the subjects (and their memberships).

  • The LiveSync task which synchronizes both object classes requires 'Include in ALL searches' configuration parameter contains values 'members' and 'memberOf'. See MID-8996 for details.


Connector requires PostgreSQL based intermediary database. Grouper might use arbitrary database engine.

Connector supports pagination and a 'max page size' configuration parameter. This will divide the query into multiple ones with outputs containing smaller number of rows (based on page size or the 'max page size' configuration parameter). There still can be the possibility of higher number of rows returned in case of an object having a large number of members or group memberships or a large number of auxiliary attributes.

With 'Exclude Objects marked as Deleted' set to true the rows marked as 'deleted' are handled as not present. In case of rows present in the 'main' object tables, the objects will be handled as deleted. In case of rows present in the membership or auxiliary attributes tables the lack of the row will mean a removal of parameter value.

The "Configuration discovery" operation among other functions will provide you with a list of possible names of auxiliary attributes which if selected will be incorporated in the attribute schema. This list of attributes can be changed in the resource configuration, after which the schema should be 'regenerated' ('refreshed').

The "members" and "member_of" ("virtual" attributes) are not retrieved by default, the attribute configuration in the IAM has to explicitly request these attributes. The same applies to attributes originating from other tables as the main ones (Tables referred to as the main tables: "gr_mp_subjects" and "gr_mp_groups"). To achieve this the mappings have to be augmented by the parameter "fetchStrategy" set to the value "explicit".

 <attribute xmlns:ri="">

Migration from legacy Grouper connector.

Following steps will guide you though migration from legacy Grouper Connector.

Following migration guide is based on the examples of InCommon midPoint and Grouper integration demo. You might need to attune it to your environment.
  1. Deploy the new Grouper connector and configure basic settings for the connector. Do not configure mappings of synchronization yet. Goal is to successfully test the resource and be able to list accounts and entitlements.

  2. Configure correlation for both accounts and entitlements (groups). Make sure the accounts are correlated to existing users and entitlements are correlated to corresponding objects (typically Org. units). You can verify the correlation configuration with Simulation. See also correlation scenario tutorial.

  3. Now you can add attributes mappings and synchronization configuration.

  4. Configure association including inbound mapping from association. Set the same subtype assignments as it was used in the legacy connector (typically "grouper-group")

  5. Stop synchronization tasks for the legacy Grouper resource. Typically that will be reconciliation and asynchronous update tasks.

  6. Remove mapping from user object template that was executing shadow query to create assignments of users to orgs that are representing groups. Also stop Group Scavenger task.

  7. Reconcile groups using the new Grouper resource. When the reconciliation tasks finishes reconcile users.

  8. Next steps is to remove assignments with grouper-group subtype that shouldn’t exist. Deploy cleanup mapping to the users object template. You will find it in examples section above. It will be applied later by recomputation of all users.

  9. Configure liveSync and periodic reconciliation for the new Grouper resource. Now the new resource is fully operational.

  10. Decommission the old Grouper resource and related settings. Remove reconciliation task, asynchronous update task, Grouper Scavenger task and functional library with functions for legacy Grouper connector. Remove all shadows for the old Grouper resource and remove the resource itself.

  11. Recompute all users. That will apply the user template mapping for cleaning up of grouper-group assignment and also it will clean up account links from users to the removed Grouper resource.

See Also

Example of midPoint and Grouper integration is available in InCommon TAP Workbench. You can see the resource configuration example there or find other related objects in the same repository.

Was this page helpful?
Thanks for your feedback