SAML Authentication using LDAP groups

Bellina, Brendan bbellina at
Tue Dec 1 11:52:30 EST 2015

I¹m not sure I understand the way you are using authentication and
authorization here.  Authentication is a credential validation check.
Authorization is a determination as to whether the once authenticated
subject is allowed to access the resource. Preventing someone from
accessing something based on group memberships is authorization and seems
to be what you are describing.  Generally you would leverage a forward
reference attribute in your user entries that indicates what groups the
user is in, such as memberOf, that way you do not have to query for group
memberships at login. You should check to see if you have an attribute
like that.


Brendan Bellina
Identity Mgmt. Architect, IT Services, UCLA

On 12/1/15, 7:24 AM, "users on behalf of Cahill, Charles (GE Appliances)"
<users-bounces at on behalf of Charles.Cahill at> wrote:

>Hey All:
>	I am looking to do something I believe is unique here with Shibboleth
>and need some help to
>	Understand if it is possible.
>	I need Shibboleth to do Authentication against LDAP groups.  The
>challenge is that LDAP groups
>	contain DN's, not UID information, so the UID must first be gathered and
>the DN pulled out.	
>	The groups branch must then be searched with that DN to see what groups
>the user is a member of.
>	The authentication would then need to be done against that information.
>We are doing something
>	Similar with authorization and the code is below.  My question is, can
>scripts be used in the login.config
>	to do something along these lines or are scripts not able to be used
>there.  I would think I need to use
>	requisite and required login modules to make this work as well maybe
>with some variables.
>	Here is our authorization methodology for returning the displayname of a
>group as a header.  I need
>	Not to return this header in some instances but to be able to do full
>authentication based on group 	membership.
>		<!--ODSEE LDAP Groups Connector Configs-->
>	<resolver:DataConnector id="slapd-xxxx-user-groups"
>		ldapURL="ldaps://xxxxx  ldaps://xxxxx"
>		principalCredential="xxxxx"
>		principal="xxxxx"
>		connectionStrategy="ACTIVE_PASSIVE"
>		maxResultSize="50"
>		mergeResults="true"
>		baseDN="ou=xxxxxgroups,ou=groups,">
>		<resolver:Dependency ref="" />
>		<resolver:Dependency ref="gexxxuid" />
>		<dc:FilterTemplate>
>			<![CDATA[
>			(&(gexxxxxunit=Appliances)(uniquemember=gexxxuid=$gexxxuid.get(0),ou=ge
>			]]>
>		</dc:FilterTemplate>
>		<dc:ReturnAttributes>displayname</dc:ReturnAttributes>
>		<dc:LDAPProperty name="java.naming.ldap.factory.socket"
>		<dc:ConnectionPool
>			minPoolSize="1"
>			maxPoolSize="8"
>			blockWhenEmpty="true"
>			blockWaitTime="PT5S"
>			expirationTime="PT10M"/>
>	</resolver:DataConnector>
>To unsubscribe from this list send an email to
>users-unsubscribe at

More information about the users mailing list