Page Tree:

Child pages
  • Maintaining Application Catalog Data for Trusted Clients

This wiki space contains archival documentation of Project Bamboo, April 2008 - March 2013.

Skip to end of metadata
Go to start of metadata


An administrator with (highly restricted) Grouper UI login privileges maintains client application (client app) registration data in the Grouper instance that persists these data. The data maintained in Grouper per the instructions on this page formally registers client applications (or tools or services).

Registered client apps are known participants in the Bamboo Ecosystem of clients and servers, and may be part of the Bamboo Trust Federation.

Client apps that are part of the Bamboo Trust Federation are trusted to assert the identity and roles of authenticated users. A number of responsibilities must be met to participate as members of the Bamboo Trust Federation. In overview, these are described on the page Identity and Access Management - Authentication and Authorization. Clients of this type are expected to act as Shibboleth Service Providers, as described on the page Shibboleth SP Installation and Configuration for Bamboo Trust Federation Clients. Certificate exchange between these clients and an administrator of the Bamboo Services Platform are described in the Certificate Exchange section of the page Configure Apache Web Server for Client Auth (documentation that refers to this page for detail about Application Catalog data).

A lighter-weight mode of participation in the ecosystem is participation as an "Innovation Licensed" client app; client apps of this type are presumed not to have implemented the technical client responsibilities necessary to authenticate clients, and/or have not met the organizational/contractual requirements for establishing membership in the Bamboo Trust Federation. "Innovation Licensed" apps may, nonetheless, be granted special permission to assert identities and roles of a defined set of ersatz Bamboo Persons – these are intended to be ONLY test identities that do NOT correspond to actual persons.

The purpose of granting "Innovation Licenses" to client applications is to permit 'lightweight' participation in the Bamboo Ecosystem. This may be desirable in a number of circumstances, including:

  1. A tool developer is considering the costs vs. benefits of becoming a member of the Project Bamboo Ecosystem, and wishes to attempt and evaluate initial integration of selected services before making a deeper commitment.
  2. A tool developer is committed to integrating her software with the Project Bamboo Ecosystem – whether by embedding her software in a Project Bamboo Research Environment, or by calling on Bamboo services from her own software's context – and wishes to forge ahead while the formal (legal) agreement to join the Project Bamboo Trust Federation is being worked out.
  3. A tool developer needs or wants to integrate software with Project Bamboo Ecosystem services prior to modifying the tool in question to act as a Shibboleth Service Provider.
  4. A tool developer wishes to integrate her software with the Project Bamboo Ecosystem for a limited time and purpose by calling on Bamboo services from her own software's context, and has no interest in obtaining privileges or long-term access associated with membership in the Project Bamboo Trust Federation.
Note that a client application's as anonymous, a member of the Bamboo Trust Federation, or an "Innovation Licensed" client application has implications vis-a-vis the resolution of access permissions to services and other resources served by, and/or policy decided by, the Bamboo Services Platform. See Authorization and Policy for additional detail.

Update Bamboo Trust Federation metadata

If it is not done already, update the Bamboo Federation metadata to include the "Entity Descriptor" for the new application. Details at Maintaining SAML Metadata that establishes a Trust Federation.

Create a folder for a new client application, tool, or service (client app)

Using appropriate administrative credentials, log into the Bamboo Grouper UI and use it create a folder for the project/application:

  • Browse to the root:bamboo:projects folder
  • Create a new folder under projects
  • Create a UUID identifier for the folder id value. One online UUID generator is at We have been using type 4 (random) UUIDs.
  • Pick a short name (a few words at most) for the project/application in cooperation with the researcher/owner. Enter that in the folder "name" field.

Create a group to represent the client app itself

Within the new project/application folder just created:

  • Create a group to represent the actual application.
  • Assign attributes to the group (DN, Start Date and End Date)
    • The DN value should match the value in the client certificate provided to you by the client app owner as a step in the process defined in the Installation of Shibboleth SP section of the page Shibboleth SP Installation and Configuration for Bamboo Trust Federation Clients
    • In cooperation with the client app owner, set appropriate values for the start and end dates for the client application's registration in the Bamboo Ecosystem, entering them as a string of the form yyyy/mm/dd; this date should not extend beyond the valid dates of the client's certificate referenced in the prior bullet

The following screen shots illustrate assignment of attributes in the Grouper UI:

Assign attributes to an application
  • Select the Lite UI menu

  • Choose Manage attributes and permissions from the Lite UI menu

  • Select View or assign attributes

  • Find the application group, filter the results and add the attribute values
    • Type "dn" in the Attribute name field and a pick list will appear, select the ...appDn attribute
    • Type "bsp" (if the Application name includes that string) in the Owner group field and a pick list will appear of groups with bsp in their name. Select the desired app (bspTestApp in this example)
    • Click the "Assign" button to associate the appDn attribute with the chosen application

  • Click the down-pointing triangle symbol by the application name and click "Add value"

  • Enter the attribute value in the text box and click "Submit". The attribute and its value are now associated with the application

Make the group representing the client app a member of a group representing application type

Make the new application group a member of the root:bamboo:admin:apps:bambooTrustFederation group or the root:bamboo:admin:apps:innovationLicensed group depending on the category – or client app type – appropriate to the researcher's project. The Overview on this page describes these different types or categories of client app.

  • Browse to the the appropriate group
  • Add the application as a member by querying for and selecting the application group name

For client apps of the innovation-licensed type, optionally add special-case BPId subjects to the client app group

If the client app is of the Innovation Licensed type, and the client app owner wishes to assert BPIDs for test users (expected not to represent real persons in any other context except Innovation Licensed client app interactions with BSP-hosted services), add the desired test users as member subjects of the associated application group.


As of April 2013, software is not yet implemented to permit Grouper to use the Bamboo Person service as an authority from which to obtain valid Subject identifiers to represent persons who are members of groups.

Until this Subject Adapter is implemented (on the roadmap for late Spring 2013), an interim authority is available within a Grouper instance installed as described in Grouper Install - Configure - Populate. Subjects added to an Innovation Licensed app group, as described above, must first be added to this interim authority. Instructions for adding subjects to the interim authority (a.k.a. subject db) can be found on the page Grouper Install - Configure - Populate.

Once the Subject Adapter is implemented, Bamboo Person Identifiers (BPIDs) will be established via a client of the Bamboo Person service; these previously-established identifiers will be eligible for membership in groups, including in groups that represent Innovation Licensed client apps.







1 Comment

  1. This page is marked incomplete pending completion of the Subject Adapter referenced in the Tip box at the bottom of the page.