Estimated reading time: 8 minutes
By Chris Hyzer, University of Pennsylvania and Grouper Lead at Internet2
Many higher education institutions are leading the way with innovative solutions. The more we stay connected and collaborate, the more time we save when we have similar problems to solve.
I feel so strongly about sharing effort among other institutions that the abbreviated 2025 Internet2 Technology Exchange (TechEX25) session descriptions below were borrowed from their presenters.
The Grouper team is excited for TechEX25 in Denver, Colo., held Dec. 8-12. We hope to see many members of the Grouper community, including you! Registration for TechEX25 is open now.
Grouper Training
Learn how to use Grouper with expert-led training designed for real-world use.
Training Options
If you’re not able to join us in Denver, another great way to increase your Grouper knowledge is to take advantage of our expanded Grouper Training options.
There are many lessons to learn with the new training material. The community has given the team a lot of advice over the years about Grouper training, and we have done our best to implement most of the ideas.
Now, it is your turn to make sure your identity and access management (IAM) department is managing access as efficiently and accurately as possible. Get further details on Grouper Training.
For those of you who are planning to be at TechEX25 (or still thinking about it), let me assure you that the lineup of Grouper-specific sessions is stellar. Read on to learn more about what your colleagues are going to share.
For full session descriptions, check out the TechEX25 program and filter by the Identity & Access Management track.
Fish and Chips: Hands-on Tutorial Using AI to Address Grouper Concerns – Monday, Dec. 8, 1 p.m. – Led by Chris Hyzer
My previous blog about Grouper and AI outlined some use cases where AI can assist Grouper users and admins.
To make this vision a reality, we need to collectively put some effort into distilling common use cases, so multiple institutions can leverage AI with Grouper. You can either be patient and wait for this to happen or join us at TechEX25 for a hands-on AI tutorial on Monday, Dec. 8.
Once Grouper enthusiasts get a taste of what AI can do — whether it’s quickly writing scripts or translating plain English into Attribute Based Access Control (ABAC) — we will inevitably start dreaming up even more creative, unexpected ways to leverage AI in access management.
Is AI in your organization’s strategic plan? Make sure to adjust your travel plans to attend this session (and impress management)!
Tutorial Description: As AI matures from buzzword to business tool, it’s casting a wide net across higher ed IT, and many a Grouper is getting caught in the current. This session dives into how AI is being used to tackle some of Grouper’s most persistent pain points. From helping users understand how to manage their users’ access to assisting admins in writing Grouper scripts, AI is quietly reshaping how we interact with and extend the power of Grouper.
Grouper Birds of a Feather – Tuesday, Dec. 9, or Wednesday, Dec. 10, at Lunch
Description: This yearly “State of Authorization” shows what has recently been accomplished with Grouper, and what is on the roadmap for the future. Bring your questions to discuss pain points or ideas to expand the Grouper platform.
Grouper Membership Lifecycles: Managing Employment Changes Gracefully – Wednesday, Dec. 10, 9 a.m. – Presented by Dusty Edenfield and Bert Bee-Lindgren, Georgia Institute of Technology
Permission creep, orphaned entitlements, and the principle of rotten privilege; there is simply no way to describe this unwanted situation without resorting to terms that sound like they belong in a cybersecurity horror story.
You know the situation: someone leaves a job, changes departments, or disappears into the academic ether, and yet somehow, miraculously, still has access to collaboration tools, licensed software, and the provost’s Spotify playlist.
Access administrators know when someone is requesting access, but it is difficult for them to know when lifecycle events occur down the road.
Georgia Tech has been engaged in this topic for years and will present some relevant recipes.
Session Description: Managing permission creep is a challenge often fraught with security concerns due to too much access retained by employees who have changed positions within the institution or left employment completely. By using Grouper’s rule framework, employment changes can trigger rule actions that create grace periods before membership is removed and email notifications to employees or managers about pending loss of access. Different security level requirements can be applied to groups to maintain flexibility in the timings of membership expiration and the recipients of email notifications.
Grouper Attestation in Action: UVA’s Transition from MyGroups to Grouper – Wednesday, Dec. 10, 9:25 a.m. – Presented by Kellen Murphy, University of Virginia
Attestation is a fancy word for “sign here to confirm this group is correct.”
In reality, it is one of the most chronically ignored tasks in identity governance; right up there with removing manual affiliations and rotating service account passwords.
That’s why this upcoming session is a must-see for anyone who’s ever shouted into the void, “Who owns this group, and is it still being used?”
Session Description: In Fall 2024, the University of Virginia transitioned from its custom group management solution, MyGroups, to Grouper. All existing MyGroups groups were migrated without modification, despite lacking compliance with new governance policies enabled by Grouper. Consequently, these legacy groups require thorough evaluation regarding their purpose, membership, and necessity. This discussion will explore how UVA is utilizing Grouper’s Attestation functionality to systematically address these legacy groups, implement deprovisioning where needed, and ensure compliance with new group policies introduced with Grouper.
Modernizing IAM with Grouper and Okta at University of Michigan – Wednesday, Dec. 10, 2:40 p.m. – Presented by Bruce Timberlake, Gail Lift, and Liam Hoekenga, University of Michigan
The University of Michigan is pushing forward to further innovate in higher education IAM, leveraging tools like Okta, Entra ID, and a cloud SQL identity vault, while keeping Grouper in the mix to manage policies and expand ABAC.
With lots of options for provisioning, when should each tool be used? Is writing a custom Grouper provisioner as fun as it sounds? Spoiler alert, the answer is yes!
Session Description: In our presentation, we will discuss the University of Michigan’s strategy for modernizing and migrating IAM during our transition to Okta: SSO, identity vault, and increased Grouper utilization. To support this migration, we are leveraging Grouper and a new AWS-hosted Identity Vault as an intermediary layer, enabling us to maintain unique Michigan requirements not directly supported by Okta. This hybrid approach allows us to provision groups to Active Directory (AD), Microsoft Entra, and Okta through multiple pathways, ensuring flexibility and performance.
Moving to Containerized Grouper and Shib IdP – Wednesday, Dec. 10, 4:20 p.m. – Presented by Christopher Bongaarts, University of Minnesota, Twin Cities
Migrating Grouper to a containerized environment is a game changer for flexibility, scalability, and management.
By running Grouper in orchestrated containers, you can easily deploy, scale, and update the platform with minimal hassle, ensuring more efficient resource use and quicker recovery from failures. Plus, there is better support provided when operating unexpired Grouper versions.
Talk Description: The University of Minnesota has operated Grouper and Shibboleth IdP services for years on physical and then virtual servers. When support for the current version of our Linux VMs was about to end, we took advantage of the situation to move to a containerized deployment of these services. This session will describe the deployment model we chose (podman container engine running on Red Hat Enterprise Linux 9 VMs), the tools we used to automate the deployment and configuration process (Ansible Automation Platform (AAP) and HashiCorp Vault), and the process we used to migrate from our existing environment.
Advance CAMP – All Day Thursday, Dec. 11, and Friday, Dec. 12
This is your opportunity to propose sessions and brainstorm with colleagues on Grouper topics.
Description: Advance CAMP is a dynamic unconference format, where participants create the agenda with their current challenges, opportunities, and ideas. As many as five concurrent breakout sessions run each hour. Collaborative discussions tackle emerging issues in real-time, and community scribes document insights for continued reference.
Whether it’s in one of our training programs or at TechEX25, I hope you will stay connected. On behalf of the Grouper team, we hope to collaborate with you soon.
About Grouper
Grouper is an enterprise access management platform that simplifies authorization by automating and delegating administration of groups and roles in your organization. Grouper is part of the InCommon Trusted Access Platform, an IAM suite of software designed to integrate with existing systems. Our roadmap is based on community input. Grouper, the access management component of the InCommon Trusted Access Platform, evolves to meet the community’s needs.