Configuring External Group Providers
This page contains more information about configuring External Group Providers (EGPs). They are configured through "manage", available at https://manage.demo.openconext.nl.
To add a new EGP, select "Group Providers" in the left-hand menu. This will show a list of the currently configured EGPs.
Select "Add a new Group Provider" to start adding a new Group Provider.
First provided values for Identifier, Name, Logo and Type as following:
| Parameter | Description |
|---|---|
| Identifier | An internal identifier for this Group Provider |
| Name | A user friendly name for this Group Provider |
| Logo | A URL to a logo for this Group Provider |
| Type | The type of API the Group Provider will use. Currently supported APIs are:
|
Now press "save" to progress to the advanced configuration.
Connection and Authentication
The OpenConext platform will perform a live query (PULL) to the Group Provider when required. It will therefor act as a client from the perspective of the Group Provider.
To authenticate, Basic Authentication and OAuth authentication are supported
Basic Authentication is authentication using a username and password over HTTPS.
The URL field contains the "root" URL that will receive the group calls. So for https://frkosp.wind.surfnet.nl/php-voot the call to retrieve groups of will look like this: https://frkosp.wind.surfnet.nl/php-voot/groups/fkooman where fkooman id the uid SAML attribute value. When adding a new provider do not forget to specify the OpenSocial type.
These are the sane defaults that SHOULD be the same for all EGPs. Don't forget to replace frkosp.wind.surfnet.nl with the schacHomeOrganization of the institute providing the external groups.
The "precondition" determines who gets to "see" the external group provider. Typically this is a filter based on the schacHomeOrganization of the EGP if the groups are only available for users from that particular institute. If left blank it will be available for all users of OpenConext.
The rule for altering the Group Provider Group IN is applied when the Group **ENTERS **the EGP and the rule for altering the Group Provider Group OUT is applied when the Group **LEAVES **the EGP.
DON'T USE THIS
The authentication is either basic HTTP or three-legged OAuth. The basic authentication is the preferred option (see previous section) for institutions like HZ and Avans, because of the consent overkill otherwise. In OpenConext teams we support both options as we do of course in API and OS (e.g. Engine)
The consumer key and secret (in case no public/private key is used) which is out-of-band negotiated.
The callback URL which is provided to the EGP when initiating the user authorization. Note that the last part (e.g. hz) must be the identifier for the GroupProvider.
The site URL. This is optional as we explicit configure the request token, access token and authorize URL (see http://framework.zend.com/manual/en/zend.oauth.introduction.html)
The HTTP method for connecting.
The signature method algorithm. When HMAC-SHA1 is chosen then the key and secret must be provided. If RSA-SHA1 is chosen then the public and private key must be configured. This depends on the implementation of the GroupProvider.
OAuth has several options for where to place the query parameters (likes the key/secret/signed body etc). The choice depends on the implementation of the client (e.g. the GroupProvider). The HZ expects the data to be appended in the URL (hence we use GET as HTTP method) so we have chosen QUERYSTRING. When configuring external GroupProviders based on OAuth OpenSocial please check with the provider what they expect.
The timeout of the actual HTTP connection.
The public and private key when the OAuth implementation of the GroupProvider requires RSA-SHA1.