SAML Authentication using LDAP groups

Cantor, Scott cantor.2 at
Tue Dec 1 12:02:32 EST 2015

On 12/1/15, 10:58 AM, "users on behalf of Cahill, Charles (GE Appliances)" <users-bounces at on behalf of Charles.Cahill at> wrote:

>I am also wondering, could this be handled on the Apache SP side in the conf file handling
>Location information?

You don't limit authentication by groups, and if you do, you do it with the memberOf approach and store the groups in each user entry. Then it's a simple matter of adjusting the filter in the LDAP login config to check for the group(s) required.

But that isn't the right model. You should ignore groups during login, resolve attributes based on group memberships and supply them as needed. Or use them within the IdP to enforce authorization via something like the context-check profile intercept.

These are basic separation of duty considerations. Multiple pieces that are simple to understand and compose are better than one complex piece.

-- Scott

More information about the users mailing list