Unicon/office365-and-azure-ad-grouper-provisioner

Name: office365-and-azure-ad-grouper-provisioner

Owner: Unicon, Inc.

Description: This project is an Internet2 Grouper connector (full sync and changelog consumer) that synchronizes Grouper groups and users to Microsoft Azure Active Directory/Office 365.

Created: 2016-01-15 23:02:47.0

Updated: 2017-12-22 15:43:02.0

Pushed: 2017-09-06 14:58:07.0

Homepage: null

Size: 6802

Language: Java

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

office365-and-azure-ad-grouper-provisioner

This project is an Internet2 Grouper connector (full sync and changelog consumer) that synchronizes Grouper groups and users to Microsoft Azure Active Directory/Office 365.

Note that this currently only supports security groups. Support for other group types is planned.

Running

1. build

   adlew clean distZip
   

2. copy contents of file to grouper home

   p build/distributions/office-365-azure-ad-grouper-provisioner-1.0.0.zip -d /tmp
   tmp/office-365-azure-ad-grouper-provisioner-1.0.0/*.jar /opt/grouper.apiBinary-2.3.0/lib/custom
   

3. Set up stem for provisioning and ID attribute

   perSession grouperSession = GrouperSession.startRootSession();
   ibuteDef provisioningMarkerAttributeDef = new AttributeDefSave(grouperSession).assignCreateParentStemsIfNotExist(true).assignName("etc:attribute:office365:o365SyncDef").assignToStem(true).assignToGroup(true).save();
   ibuteDefName provisioningMarkerAttributeName = new AttributeDefNameSave(grouperSession, provisioningMarkerAttributeDef).assignName("etc:attribute:office365:o365Sync").save();
   
   Stem = addStem("", "test", "test");
   Stem.getAttributeDelegate().assignAttribute(provisioningMarkerAttributeName);
   
   ibuteDef o365Id = new AttributeDefSave(grouperSession).assignCreateParentStemsIfNotExist(true).assignName("etc:attribute:office365:o365IdDef").assignToGroup(true).assignValueType(AttributeDefValueType.string).save();
   ibuteDefName o365IdName = new AttributeDefNameSave(grouperSession, o365Id).assignName("etc:attribute:office365:o365Id").save();
   

4. Configure loader job in grouper-loader.properties. Note that you will need to set up an application with access to your domain. See documentation at [http://graph.microsoft.io/en-us/docs].

   geLog.consumer.o365.class = edu.internet2.middleware.grouper.changeLog.consumer.Office365ChangeLogConsumer
   re every 5 seconds
   geLog.consumer.o365.quartzCron =  0,5,10,15,20,25,30,35,40,45,50,55 * * * * ?
   geLog.consumer.o365.syncAttributeName = etc:attribute:office365:o365Sync
   geLog.consumer.o365.retryOnError = true
   geLog.consumer.o365.clientId = @o365.clientId@
   geLog.consumer.o365.clientSecret = @o365.clientSecret@
   

   Replace @o365.clientId@ and @o365.clientSecret@ with appropriate values from the application configuration.

Office 365 Notes

Login to the app management console:

https://apps.dev.microsoft.com/

For first time use, create Office 365 account first:

• Enroll in Office 365 (30-day trail account is fine), during enrollment, note the tenant value of the form “abcdef.onmicrosoft.com”
• At Office 365 management portal, click “Azure AD” link
• In Azure AD portal, click “Azure Activity Directory”
• Under “Manage” tab, click “App registrations”
• In intro text “To view and manage your registrations for converged applications, please visit the Microsoft Application Console.“, click that link

Once in the App Mgmt Console, create an app:

• Note the “Application Id” that is generated (this will be the client id for OAuth2 tokens)
• Use “Generate New Password” when creating keys (this is the client secret for OAuth2 tokens)
• Under “Platforms” tab, click “Add Platform” and specify a redirect URL like “http://localhost/grouper”
• Under “Microsoft Graph Permissions”, in “Application Permissions” specify required Graph API permissions
• At bottom of page, click “Save”
• IMPORTANT: after permissions are added (or modified) admin consent must be granted at the URL template: https://login.microsoftonline.com/$TENANT/adminconsent?client_id=$APPLICATION_ID

Graph API Notes

To get a token for making Graph API calls, do the following:

• POST http method
• URL is of the form https://login.microsoftonline.com/$TENANT/oauth2/v2.0/token

Use the following request parameters:

• client_secret - specify password generated from “Generate New Password” above
• client_id - specify Application Id that's generated when creating app
• grant_type - specify client_credentials, this value implies “Application Permissions” (as opposed to “Delegated Permissions”)
• redirect_uri - specify http://localhost/grouper
• scope - specify https://graph.microsoft.com/.default