This wiki space contains archival documentation of Project Bamboo, April 2008 - March 2013.
An administrator with (highly restricted) Grouper UI login privileges maintains client application (client app) registration data in the Grouper instance that persists these data. The data maintained in Grouper per the instructions on this page formally registers client applications (or tools or services).
Registered client apps are known participants in the Bamboo Ecosystem of clients and servers, and may be part of the Bamboo Trust Federation.
Client apps that are part of the Bamboo Trust Federation are trusted to assert the identity and roles of authenticated users. A number of responsibilities must be met to participate as members of the Bamboo Trust Federation. In overview, these are described on the page Identity and Access Management - Authentication and Authorization. Clients of this type are expected to act as Shibboleth Service Providers, as described on the page Shibboleth SP Installation and Configuration for Bamboo Trust Federation Clients. Certificate exchange between these clients and an administrator of the Bamboo Services Platform are described in the Certificate Exchange section of the page Configure Apache Web Server for Client Auth (documentation that refers to this page for detail about Application Catalog data).
A lighter-weight mode of participation in the ecosystem is participation as an "Innovation Licensed" client app; client apps of this type are presumed not to have implemented the technical client responsibilities necessary to authenticate clients, and/or have not met the organizational/contractual requirements for establishing membership in the Bamboo Trust Federation. "Innovation Licensed" apps may, nonetheless, be granted special permission to assert identities and roles of a defined set of ersatz Bamboo Persons – these are intended to be ONLY test identities that do NOT correspond to actual persons.
The purpose of granting "Innovation Licenses" to client applications is to permit 'lightweight' participation in the Bamboo Ecosystem. This may be desirable in a number of circumstances, including:
If it is not done already, update the Bamboo Federation metadata to include the "Entity Descriptor" for the new application. Details at Maintaining SAML Metadata that establishes a Trust Federation.
Using appropriate administrative credentials, log into the Bamboo Grouper UI and use it create a folder for the project/application:
Within the new project/application folder just created:
The following screen shots illustrate assignment of attributes in the Grouper UI:
Make the new application group a member of the root:bamboo:admin:apps:bambooTrustFederation group or the root:bamboo:admin:apps:innovationLicensed group depending on the category – or client app type – appropriate to the researcher's project. The Overview on this page describes these different types or categories of client app.
If the client app is of the Innovation Licensed type, and the client app owner wishes to assert BPIDs for test users (expected not to represent real persons in any other context except Innovation Licensed client app interactions with BSP-hosted services), add the desired test users as member subjects of the associated application group.
As of April 2013, software is not yet implemented to permit Grouper to use the Bamboo Person service as an authority from which to obtain valid Subject identifiers to represent persons who are members of groups.
Until this Subject Adapter is implemented (on the roadmap for late Spring 2013), an interim authority is available within a Grouper instance installed as described in Grouper Install - Configure - Populate. Subjects added to an Innovation Licensed app group, as described above, must first be added to this interim authority. Instructions for adding subjects to the interim authority (a.k.a. subject db) can be found on the page Grouper Install - Configure - Populate.
Once the Subject Adapter is implemented, Bamboo Person Identifiers (BPIDs) will be established via a client of the Bamboo Person service; these previously-established identifiers will be eligible for membership in groups, including in groups that represent Innovation Licensed client apps.