midPoint and Grouper - Picking the Right Software for Your Needs

Every organization is different, but they can often find a bit of common ground in the challenges they face, and the methods they use to overcome them. Much like the need for a Human Resources department or Facility Services, there is an organizational need for robust Identity and Access Management (IAM). In an effort to help address these needs, InCommon was developed by the Internet2 community. InCommon develops, supports, and packages a group of Open Source software solutions that can be used together, or separately, to address Identity and Access Management needs. This collection of software is called the InCommon Trusted Access Platform (ITAP). We’ll look at two of these software products to better understand how they can help your organization, how they can operate separately, and how they can complement each other.

 

midPoint is an Identity Management (IdM) and Identity Governance and Administration (IGA) tool developed and supported by Evolveum. Although midPoint is a commercially developed product, it is released under an open source license allowing it to be included in the Internet2 ITAP bundle. Many organizations have found that while midPoint is free to use under an open source license, they benefit greatly by having a vendor such as Unicon assist them in implementing this tool. Based on industry needs, midPoint and other Identity and Access Management tools have been built to provide not just user synchronization and management of access controls, but auditing and attestation capabilities as well. This allows these IAM tools to expand and become effective tools for Identity Governance.

 

At its core, midPoint is a synchronization engine that allows your identity data to flow from your primary sources (SIS, HR/EDP, CRM, etc) to your identity targets (Active Directory, LDAP, application databases, etc). Beyond that, midPoint can implement your business logic around roles and group memberships, providing the elusive “single pane of glass” as to not only what attributes a user has and what groups a user may be a member of, but more importantly why that user has those attributes and group memberships, and when that user gained or lost those attributes or group memberships.

 

The latest version of midPoint, as of this article, adds capabilities for role mining and other IGA features. midPoint also has built-in features such as a self-service portal, certification (also known as attestation) campaigns, and simulations that allow your IAM team to predict how changes to settings or policies will affect users before making sweeping changes.

 

Developed by the InCommon and the Higher Ed community, Grouper utilizes information about accounts, groups, attributes, and permissions so that you can streamline collaboration and help make controlled-access policy management happen faster and easier. Out of the box, Grouper can connect to various external systems, such as databases, LDAP, or Active Directory. Usually, one external system is considered to be the source of identities, but multiple sources can be configured if needed. Basis groups are created out of identity information such as affiliation, course enrollment, graduation status, etc., and reference groups can be constructed from various combinations of basis groups. Natural language policies can then be implemented by logical combinations of the basis and reference groups. Policies like “give all undergraduate students with an engineering major access to the engineering computer lab access group” can be implemented in a straightforward, logical manner. The policies can drive provisioning events, pushing entitlements and group membership out to external systems.

 

Grouper also offers group attestation, as well as fine-grained access control, and manual or ad hoc group management. Access to Grouper can be set up to allow service owners to maintain their configurations only while restricting other access. Because Grouper offers delegated access to access policy management, members of the IdM team can spend more time focusing on identities and associated data, and less time implementing the specific policy needs of disparate departments across campus.

 

Both midPoint and Grouper allow for group management. However, Grouper is built entirely with group management in mind. While most features of Grouper could be implemented in midPoint, many would take a lot of custom Groovy or XML coding. midPoint allows for the creation of roles that can be assigned to user accounts. These roles can be configured to write group membership out to external systems. This may meet some simple group needs for many organizations, without the need for custom code. However, Grouper allows for logical construction of composite groups. These composite groups can represent more complex grouping scenarios. Composite groups can be created by combining the union, composite, and subtraction of sub-groups. Grouper strives to allow a natural language approach to defining group membership policies. An example of a more complex group could be something like managing a group in LDAP that is used to control access to an institutional VPN. In this instance, Grouper can allow you to create a group that combines every student enrolled in a class, as well as instructors and support staff, and exclude a group of accounts that have been manually identified by the security team as having had their credentials compromised.

 

midPoint and Grouper both allow for identity data to be loaded from systems of record and pushed out to downstream data stores or service applications. However with Grouper’s focus on group management, its implementations tend only to load the data that is needed for various group management scenarios, and its downstream provisioners focus on group memberships. While it can push generic attributes, it’s not typically used that way. Meanwhile, midPoint is intended to track and manage any and all data associated with identities, creating a complete and authoritative view. Its downstream provisioners are routinely built around conveying all known or needed data elements.

 

Various organizations have started their journey with one or the other ITAP products. Grouper has been a part of the Incommon / Internet 2 suite of ITAP applications for many years, and some organizations may have a rich implementation of Grouper in place with a set of scripts or commercial products to fill in the gaps in their IAM needs, and have not realized a need for midPoint. Others may have used other identity synchronization products and have migrated over to using midPoint, and have similarly not yet seen a need to add Grouper into their environment. Grouper is typically used as an add-on to an existing IdM solution, whether that solution is midPoint, a commercial product, or a home-built collection of scripts. midPoint can be a great option for replacing a set of in-house or home-built scripts to manage IdM and IGA.

 

If your organization is starting from scratch, analyzing the capabilities of both applications to see where they fit into your organization is a key first step. The questions that you may need to ask yourself revolve around what your needs may be.

 

Do you have tools in place managing identity synchronization, but need to enhance your ability to manage complex groups and permissions across multiple disparate systems? In that case, you may decide that Grouper would be a great fit for your organization.

 

Do you have basic group management well in hand, but need to enhance your identity synchronization, user onboarding, and Identity Governance? In that case, you may decide that midPoint would be a great fit instead.

 

If the answer to the above questions is “but we need both!” then implementing both midPoint and Grouper is the way to go. Perhaps you have some older home-grown identity tooling that needs modernization as well as an urgent need to increase your capabilities around group and access management. midPoint and Grouper can work in conjunction with one another, combining their capabilities where they make sense to provide a full-fledged IAM architecture covering the entire landscape of identity synchronization, access/groups management, and governance.

 

The identity management capabilities provided by midPoint and Grouper can help organizations improve compliance, security, and efficiency. If you would like to learn more about implementing these open source identity tools, Unicon offers consulting, support, and hosting services that can help. Please send us a note or give us a call to discuss your identity needs with our identity management specialists, and take advantage of their experience implementing midPoint, Grouper, and other ITAP software at numerous higher education institutions. Unicon can help you architect the best identity infrastructure to meet your governance, security, and compliance goals.

 

Mark McCoy, Software Architect for Unicon also contributed to this article.