A Model Context Protocol (MCP) server that provides tools for interacting with Internet2's Grouper identity management system via web services.
This MCP server provides 18 core tools for essential Grouper operations, organized into five main categories:
- Group Management (8 tools) - Search, create, retrieve, update, and delete groups
- Stem/Folder Management (3 tools) - Search and browse organizational hierarchy
- Member Management (3 tools) - Add, remove, and list group members
- Attribute Management (1 tool) - Assign attributes to groups
- Subject Management (3 tools) - Search for and retrieve information about subjects
For detailed documentation of all available tools, parameters, and usage examples, see TOOLS.md.
This implementation covers the essential group lifecycle and membership management operations that handle most common use cases. Many additional Grouper web service endpoints are not yet implemented but are planned - see the TODO.md for the complete list of planned features.
Configure the server using environment variables:
# Required: Base URL for Grouper web services
export GROUPER_BASE_URL="https://your-grouper-instance.edu/grouper-ws/servicesRest/json/v4_0_000"
# Required: Basic authentication credentials
export GROUPER_USERNAME="your_username"
export GROUPER_PASSWORD="your_password"
# Optional: Act as different subject (for administrative operations)
export GROUPER_ACT_AS_SUBJECT_ID="your_admin_subject_id"
export GROUPER_ACT_AS_SUBJECT_SOURCE_ID="your_subject_source"
export GROUPER_ACT_AS_SUBJECT_IDENTIFIER="your_admin_identifier"
# Optional: Logging configuration
export GROUPER_LOG_DIR="/custom/log/directory" # Default: ~/.grouper-mcp/logs/
export GROUPER_DEBUG="true" # Enable verbose debug logging (default: false)
# Optional: Read-only mode
export READ_ONLY="true" # Enable read-only mode (default: false)The server can be configured to run in read-only mode, which restricts access to read operations only. This is useful for:
- Production monitoring and auditing without risk of accidental changes
- Providing safe access to Grouper data for reporting purposes
- Running multiple instances where only some should have write access
Configuration Priority:
- Properties file (
config/grouper-mcp.properties) - Highest priority, cannot be overridden - Environment variable (
READ_ONLY=true) - Used if no properties file exists - Default -
false(read-write mode)
When READ_ONLY=true:
- Only read operations are available (searches, queries, retrieving information)
- Write operations (create, update, delete, add/remove members) are blocked
- Blocked tools do not appear in the tool list
- Runtime checks prevent execution if a write tool is somehow called
For immutable read-only Docker images, use the properties file approach:
# 1. Create properties file from example
cp config/grouper-mcp.properties.example config/grouper-mcp.properties
# 2. Edit and uncomment the readOnly setting
# grouper-mcp.readOnly=true
# 3. Build Docker image - the properties file will be baked in
docker build -t grouper-mcp:readonly .
# 4. The container will ALWAYS run in read-only mode
# Environment variables cannot override the properties file setting
docker run -i grouper-mcp:readonlyThis approach ensures the container cannot be switched to read-write mode at runtime, making it suitable for production deployments where write access should be permanently disabled.
Read-only tools (available when READ_ONLY=true):
grouper_find_groups_by_name_approximate- Search for groupsgrouper_get_group_by_exact_name- Get group details by namegrouper_get_group_by_uuid- Get group details by UUIDgrouper_find_stems_by_name_approximate- Search for stems/foldersgrouper_get_stem_by_exact_name- Get stem details by namegrouper_get_stem_by_uuid- Get stem details by UUIDgrouper_get_members- Get group membership informationgrouper_get_subject_by_id- Get subject details by IDgrouper_get_subject_by_identifier- Get subject details by identifiergrouper_search_subjects- Search for subjects
Write tools (blocked when READ_ONLY=true):
grouper_create_group- Create new groupsgrouper_update_group- Modify group propertiesgrouper_delete_group_by_name- Delete groups by namegrouper_delete_group_by_uuid- Delete groups by UUIDgrouper_delete_group_by_id_index- Delete groups by ID indexgrouper_add_member- Add members to groupsgrouper_remove_member- Remove members from groupsgrouper_assign_attribute- Assign attributes to groups
-
Clone this repository
-
Install dependencies:
npm install
-
Build the project:
npm run build
- Clone this repository
- Build the Docker image:
docker build -t grouper-mcp .
Run in development mode with:
npm run devBuild and run:
npm run build
npm startRun the container with your configuration:
docker run -i \
-e GROUPER_BASE_URL="https://your-grouper-instance.edu/grouper-ws/servicesRest/json/v4_0_000" \
-e GROUPER_USERNAME="your_username" \
-e GROUPER_PASSWORD="your_password" \
-e GROUPER_DEBUG="true" \
-e READ_ONLY="false" \
-e NODE_TLS_REJECT_UNAUTHORIZED="0" \
-v $(pwd)/logs:/home/mcp/.grouper-mcp/logs \
grouper-mcp:latestAdd to your Claude Desktop MCP configuration:
{
"mcpServers": {
"grouper": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-e", "GROUPER_BASE_URL=https://your-grouper-instance.edu/grouper-ws/servicesRest/json/v4_0_000",
"-e", "GROUPER_USERNAME=your_username",
"-e", "GROUPER_PASSWORD=your_password",
"-e", "GROUPER_DEBUG=true",
"-e", "READ_ONLY=false",
"-e", "NODE_TLS_REJECT_UNAUTHORIZED=0",
"grouper-mcp:latest"
]
}
}
}Add to your Claude Desktop MCP configuration:
{
"mcpServers": {
"grouper": {
"command": "node",
"args": ["/path/to/grouper-mcp/dist/index.js"],
"env": {
"GROUPER_BASE_URL": "https://your-grouper-instance.edu/grouper-ws/servicesRest/json/v4_0_000",
"GROUPER_USERNAME": "your_username",
"GROUPER_PASSWORD": "your_password",
"GROUPER_DEBUG": "true",
"READ_ONLY": "false",
"NODE_TLS_REJECT_UNAUTHORIZED": "0"
}
}
}
}Environment Variables:
GROUPER_DEBUG: Set to"true"to enable detailed logging for troubleshootingREAD_ONLY: Set to"true"to enable read-only mode (blocks all write operations)NODE_TLS_REJECT_UNAUTHORIZED: Set to"0"if using self-signed certificates
Create a group named "edu:department:engineering:students" with display name "Engineering Students"
Add user "jdoe" to the group "edu:department:engineering:students"
Find all groups containing "engineering" in their name
Get details for group with UUID "12345678-1234-1234-1234-123456789abc"
Assign attribute "classification" with value "academic" to group "edu:department:engineering:students"
Get detailed information for subject with ID "jdoe123"
Search for subjects containing "Smith" in their name or other searchable fields
The server supports Grouper's "act as" functionality for administrative operations. Configure the acting subject using the environment variables listed above.
The server automatically logs all activity to help with debugging:
- Location:
~/.grouper-mcp/logs/(default) or custom viaGROUPER_LOG_DIR - Files:
grouper-mcp.log- All log messages (info, debug, errors)grouper-mcp-errors.log- Error messages only
- Server startup and connection events
- All HTTP requests to Grouper (with credentials redacted)
- All HTTP responses (including error details)
- Detailed error information with context
Set GROUPER_DEBUG=true to enable verbose debug logging showing:
- Request/response details
- API call parameters
- Detailed error traces
[2024-01-15T10:30:45.123Z] [ERROR] HTTP Response: 400 Bad Request {"url":"https://grouper.edu/grouper-ws/servicesRest/json/v4_0_000/groups","status":400,"body":{"error":"Invalid group name format"}}
The server includes comprehensive error handling and logging. Errors are captured and formatted appropriately for display in Claude. Check the log files for detailed error information when troubleshooting.
Planned features and improvements are tracked in TODO.md.
This server is designed to work with Grouper v4.0.000 web services API. It should be compatible with most recent versions of Grouper.