Grouper Working Group Notes of September 15, 2021
Attending
- Chris Hyzer, Penn, Chair
- Chad Redman, University of North Carolina Chapel Hill
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Emily Eisbruch, Internet2
Discussion
- Internet2 Intellectual Property Policy
- Approve minutes
- Review AIs Grouper Project Action Items (Google Doc)
- Agenda bash
Next Grouper release
Plan to release Grouper 2.5 and 2.6 today.
Comments:
- Chris: Issue in slack , someone was grouper system, then could not find attribute definition.
- Chad: There was an issue where someone did not have attributes created as they need to be
- Liam needs example flat group attribute w DN override. Chris will work on that, will look for another script
- Chris having Chrome 93 issues
- Arizona issue
- Over 100 headers
- Will use Max 200 headers
- Put this fix in container for Grouper 2.5 and 2.6
- In next few weeks do Grouper 2.6.1 and include more items the community is asking for
Entitlement prefixes
- In provisioning there are validations, Such as: Is this attribute value valid?
- not using these validations yet
- If Grouper side translate is not valid, then object not provisioned
- Should have validation of target values
- If target value does not match, do not try to insert
- If membership attribute value not valid, treat it like it does not exist
- PSPNG has something similar
- Shilen: this approach makes sense for entitlement use case
- Chris:
- Suggests check box says Grouper validation should apply to Grouper and Target
- Don’t want to make screen too complex
- Want to be flexible
- Use two text fields
- Question:
- you mark a group as provisionable for entitlement but value provisioning is not good, so you reject it?
- Response:
- For example, Box has required attribute on a group
- When Grouper translates it’s not there, so you get an error
- Put validations based on the target values
- Then don't sync
- For entitlements, if you don’t have this prefix,
- Grouper will not track or add, update or delete it
- This feature says if the value looks like this, then Grouper should delete it
- If you don’t have existing values, you don’t need this.
- But if you used PSPNG in the past, you may need this
- It’s for when Grouper is authoritative for things that match a certain pattern
- Need to iron out - flag for error handling
- There is an error code in sync object database table: success, exception, required field missing
- Need a UI to show success state and break out exceptions and validation problems
- GRP-3603
add provisioning target attribute value validation (e.g. for eduPersonEntitlement)
Vivek - JWT RSA authentication
- Adding JWT RSA authentication to web service from trusted authorities. See wiki here
- There are two or more use cases for JWT
- JWTs for a single user to claim they are themselves, and use for authentication purposed (more complicated).
This is not the use case we are addressing, and - Trusted authorities create JWTs for arbitrary users, they register public key with Grouper and upload it
- People want to call Grouper web service, they have their own web app.
- JWT will send authentication header to Grouper web service.
- Grouper must confirm it’s a valid JWT, using the public key
- User must match a subject Grouper is aware of
- Subject known to Grouper
- Public authority registers their public key with Grouper
- They upload it
- They sent the JWT into 3rd party ( such as a gateway)
- Allows logging into Grouper
- Grouper validates it is signed properly
- This is RSA, Public / Private Key
- Register a public key with Grouper,
- Whoever has the other side of the private key can sign JWTs and that will be trusted
- Grouper checks the expiration date at 2 levels
- Expire date
- Issued at time
- Duke has OAUTH system that creates JWTs
- Are there other JWT claims that could be validated here?
- Could add validation on any claim
- Suggestion to Improve documentation to say what -1
- means “never expire”, or be limited only by JWT expiration
- Zerio means do not re-use
- Will Grouper cache the JWTs?
- Never be reused?
- It does cache some things but it will look to see if expired
- If JWT system has expiration date for 3 years
- Set to zero meaning don’t reuse any JWTs
- What happens if I send a second time
- Chris and Vivek - look at JWT expiration date issue around caching
- JIRA 3617 https://todos.internet2.edu/projects/GRP/issues/GRP-3617?filter=allissues
- Vivek will set up unit tests for the JWT work
- Can use with normal web service authentication
- If it finds a JWT then it will handle that
- For Subject source ID , have a list of valid subject sources
- Like provisioner, UI with check boxes
- Want a multi select
- Subject ID type should be required
- Is public key as submitted encrypted in database?
- No
- Value type is password
- Decision: No need to protect a public side of a public/private key
- Should public key registration be separate from config for the JWT so can reuse the same certif authority in multiple configuration sets?
- Chad: Just use multiple copies, don’t want another table with keys, too complex
- Chris: We have concept of external system
- Leave as is for now, Chad agrees
- Implemented in config and web service in Grouper 2.6
- For 2.61 in the UI to configure
- Will Grouper issue private keys for subjects? (other use case)
- There are users at tOSU who have asked for this
- Prioritize PKI authentication for web service
- Service account built into Grouper
- There will be a concept of expiration
- For adding a new key, minimum is 1
Chris: OIDC Authentication to Grouper Web Service
- Working on OIDC authentication to Grouper Web Service
- See wiki
- Similar to JWTs
- In v2.6.0+ we will add OIDC authn to WS.
- Extracts the code from the authorization
- Will call token endpoint with POST and user/pass basic authn to retrieve the access token based on the code
- Will call the userinfo endpoint to get the user attributes from the access token (no authn)
- Resolve the subject from the configured userinfo claim
- Config only is available now, will make UI screens
- OIDC is usable for user interactions
- Matt: Shibboleth could send OIDC message to Grouper instead of a SAML message
- Grouper could decode OIDC code
- Could do a redirect
- Support on web services side and also UI side
- Could use that on the front end as well , if application is not protected w Shib
- If deploying to AWS, perhaps use OIDC instead of SAML
- Redirect back to Grouper UI or login URI
- Grouper is doing some authentication
- External IDP concept
- Grouper could issue the OIDC credentials somehow
- Grouper not handling OIDC code but handling remote user
- API method to handle OIDC code...
- There is a Unicon authentication project related to this
- PAC4J https://github.com/pac4j/pac4j
- SAML authentication as an add-on to Grouper
- Don’t need Shib SP
- Could modify it to do OIDC as well as SAML
- Then don’t need so much logic inside Grouper
- Put it in the authentication library
- Shilen:
- Good to see direct OIDC integration
- But PAC4J could handle this perhaps
- Chris PAC4J may have container configuration
- With this Grouper has our own UI and config, everything is consistent
- We are not supporting a zillion SAML flows
- Shilen, if can configure UI to handle OIDC then this is ideal
- Matt: from user perspective, agree
- But this could be more complex than we hope
- Chris: example at Penn, with Shib OIDC implementation, takes token endpoint, does a post w username and password and gets the result. Then you use that to get info.
- UI is assuming you are doing remote user
- Something else in front won’t let something pass in for Grouper to handle
- Web Service uses customized authentication implementation interface, can intercept
- Can’t flip the order
- Chris: value of external authentication: no network gets to Grouper without passing thru Shib SP
- Shilen: What is passed in basic auth request?
- Chris: For JWT: token authorization header, don’t want to cycle thru everything, config ID, JWT,
- Grouper looks up public keys
- For OIDC: similar except registration has one URL or multiple
- If only one, configure this for OIDC configuration
- Then caller does not need to worry about redirect
- Can have multiple return to URL
- Then when you send code and get token you need the URL
- The call tells Grouper which URL they went back to
- Can you pass in an OIDC access token?
- Chris asked JJ that..
- Can do it
- Access token can be swapped for user info
- Not a good place to start
- What was original use case for this work with the OIDC code?
- JJ has a project for a client
- Not sure if access tokens or code
- We implemented code
- There could be use case for access tokens for web service authentication
- In Config, allow access tokens True/False
- Instead of user info endpoint,
- OIDC has introspection endpoint
- Not sure what the Shib IDP does
- Some implementations prefer introspection endpoint over user info
- Depending on how access tokens are generated and who owns it
- It might be a different OIDC client that owns it
-
- AI Chris will look at the introspection endpoint for OIDC Connect
- Note: User would have to know config ID while generating header for client side
- Chris has also been working on JIRAs
Shilen:
- Fixed some tests
- Will slack with Chris about provisioning work
- Done with load testing,
Plan for provisioning
- Over next 3-6 months we need to find production provisioners and migrate them
- There may be about 12: Azure, LDAP Duo, Box, etc
Chad:
- Working on upcoming Grouper training September 28 – October 1
- created JIRAs
- https://todos.internet2.edu/browse/GRP-3608
- Audit table is so large, ability to use more actions menu would be helpful
- There is only a time filter, can’t filter on action types
- Replace members
Export issue
- There was discussion on slack around XML export
- Should we deprecate that older approach?
- Chad there is value if you want copy of database
Jira Management
- Is there a standard process before releasing 2.6, do we do something with 2.5 JIRAs?
- Review and say we are not going fix?
- There may be 10 year old JIRAS that should be killed?
- Engage the community and ask people to vote?
Issue Roundup
Jiras in past two weeks
- GRP-3611
add trusted JWT authn to WS - GRP-3610
add oidc WS authn - GRP-3609
add oidc jars to grouper api - GRP-3608
Add audit entry of specific subject in group members tab - GRP-3607
subject not found in rule will cause exception - GRP-3606
make rules invalid if subjects not found - GRP-3605
allow entitlements to translate group attributes without select or insert - GRP-3604
provisioning npe - GRP-3603
add provisioning target attribute value validation (e.g. for eduPersonEntitlement) - GRP-3602
provisioning wizard delete if deleted by grouper should hide if delete if not exist in grouper - GRP-3601
change default of grouper.client.properties grouperClient.saveFailoverStateEverySeconds to -1 - GRP-3600
rusted JWT for web service - GRP-3599
provisioning UI "insert" was showing incorrect values - GRP-3598
implement provisioning framework delete types on various object types - GRP-3597
Group.replaceMembers tries to delete effective memberships, throws error - GRP-3596
UI attributeName owners filtering should support filtering on the values that are assigned. - GRP-3595
improve daily report defaults - GRP-3594
UI filter features should not clear as frequently as they do - GRP-3593
Ability to do adds first during a loader job (rather than deletes - GRP-3592
GrouperProvisioningAttributeNames missing methods to retrieve provisioningMetadataJson and provisioningOwnerStemId
GRP-3591
config file npe - GRP-3590
default for provisioning ldap userSearchFilter throws error and needs docs
GRP-3589
default for provisioning ldap userSearchAllFilter - GRP-3588
default for provisioning ldap groupSearchAllFilter - GRP-3587
incremental entity attribute job gives error retrieving memberships - GRP-3586
incremental user attributes job gives error, cannot automatically search for entities - GRP-3585
usdu failing on same subject identifier on unresolvable subjects - GRP-3584
membership provisioning screen says "in target no" when it is in target - GRP-3583
memberships insert on ui does not report correctly that grouper inserted membership - GRP-3582
full sync on group attribute daemon finds updates on all groups, should be no change - GRP-3581
the setting when assigning if provisionable for "policy groups only" should be a boolean control (radio or drop down) - GRP-3580
deprovisioning full and incremental daemon should propagate attributes to attributes - GRP-3579
only show delete types if other types are false - GRP-3578
ensure "delete level" works correctly for provisioning framework for groups / entities / memberships - GRP-3577
option to send error message to WS client if stacks are not sent
GRP-3576
error with database migration utility
Grouper User list Emails in past two weeks
none
Grouper wiki updates in past two weeks
- OIDC authentication to Grouper Web Service
- Grouper LDAP provisioner in v2.5 demo5 entityAttributes with group name and translation from scratch
- JWT RSA authentication to Grouper Web Service from trusted authority
- Point in Time Auditing , edited by Scott C
- v2.5 Release Notes
- Grouper v2.5 container unit tests
- Grouper LDAP provisioner in v2.5
- Grouper LDAP provisioner in v2.5 demo4 entityAttributes with group dn
- Grouper LDAP provisioner in v2.5 demo3 groupAttributes bushy subjectId
- How to Setup a Grouper Development Environment for Grouper v2.5
- Grouper Product Roadmap
- Grouper automatically fix attribute corruption
- v2.5 Upgrade Instructions from v2.5
- Penn v2.5 container example
Next Grouper Call: Wed Sept. 29, 2021