SAML Authentication using LDAP groups

Bellina, Brendan bbellina at
Tue Dec 1 17:14:40 EST 2015

Glad you were able to get the behavior you wanted, but I¹m left a bit
confused. This is checking against the user¹s display name attribute
value, not the display name of a group the user is in, right?  I thought
you were trying to determine what groups the user was in.


Brendan Bellina
Identity Mgmt. Architect, IT Services, UCLA

On 12/1/15, 1:29 PM, "users on behalf of Cahill, Charles (GE Appliances)"
<users-bounces at on behalf of Charles.Cahill at> wrote:

>Thank you all for your input on this.  I was able to solve the problem by
>using configurations
>on the Apache side SP.
>Made the below changes in the shib.conf
>Require shib-attr displayname ${DISPLAYNAME}  did the trick.  Now, only
>users with a specific LDAP
>Displayname can access my application.  I am feeding in the
>PROTECTEDAPPROOT AND DISPLAYNAME as variables in docker that are fed into
>the Apache SP code
>I have in github to create an Apache instance with the Shibboleth Service
>Provider installed.
><VirtualHost *:80>
>        ProxyPass /Shibboleth.sso !
>        ProxyPassReverse /Shibboleth.sso !
>	ProxyPassReverse / ${APPLICATION_ENDPOINT}
>	RequestHeader set cn "%{cn}e"
>	RequestHeader set firstname "%{firstname}e"
>	RequestHeader set lastname "%{lastname}e"
>	RequestHeader set email "%{email}e"
>	RequestHeader set uid "%{uid}e"
>	RequestHeader set displayname "%{displayname}e"
>	<Location /Shibboleth.sso>
>	  Satisfy Any
>	  Allow from all
>	</Location>
>    	<Location /${PROTECTEDAPPROOT}>
>    		AuthType shibboleth
>    		ShibRequestSetting requireSession 1
>    		Require shib-attr displayname ${DISPLAYNAME}
>	</Location>
>-----Original Message-----
>From: users [mailto:users-bounces at] On Behalf Of Curry,
>Sent: Tuesday, December 01, 2015 2:44 PM
>To: Shib Users
>Subject: RE: SAML Authentication using LDAP groups
>It would seem that you want to do authorization against groups. Not
>authentication with groups.
>Why not make the  LDAp groups an load an Attribute in you saml2 doc?
>Tthis can then be used to determine authorization..
>Perhaps I am missing something ...
>-----Original Message-----
>From: users [mailto:users-bounces at] On Behalf Of Cahill,
>Charles (GE Appliances)
>Sent: Tuesday, December 01, 2015 10:59 AM
>To: Shib Users <users at>
>Subject: RE: SAML Authentication using LDAP groups
>I am also wondering, could this be handled on the Apache SP side in the
>conf file handling Location information?
>-----Original Message-----
>From: Cahill, Charles (GE Appliances)
>Sent: Tuesday, December 01, 2015 10:24 AM
>To: Shib Users
>Subject: SAML Authentication using LDAP groups
>Hey All:
>	I am looking to do something I believe is unique here with Shibboleth
>and need some help to
>	Understand if it is possible.
>	I need Shibboleth to do Authentication against LDAP groups.  The
>challenge is that LDAP groups
>	contain DN's, not UID information, so the UID must first be gathered and
>the DN pulled out.	
>	The groups branch must then be searched with that DN to see what groups
>the user is a member of.
>	The authentication would then need to be done against that information.
>We are doing something
>	Similar with authorization and the code is below.  My question is, can
>scripts be used in the login.config
>	to do something along these lines or are scripts not able to be used
>there.  I would think I need to use
>	requisite and required login modules to make this work as well maybe
>with some variables.
>	Here is our authorization methodology for returning the displayname of a
>group as a header.  I need
>	Not to return this header in some instances but to be able to do full
>authentication based on group 	membership.
>		<!--ODSEE LDAP Groups Connector Configs-->
>	<resolver:DataConnector id="slapd-xxxx-user-groups"
>		ldapURL="ldaps://xxxxx  ldaps://xxxxx"
>		principalCredential="xxxxx"
>		principal="xxxxx"
>		connectionStrategy="ACTIVE_PASSIVE"
>		maxResultSize="50"
>		mergeResults="true"
>		baseDN="ou=xxxxxgroups,ou=groups,">
>		<resolver:Dependency ref="" />
>		<resolver:Dependency ref="gexxxuid" />
>		<dc:FilterTemplate>
>			<![CDATA[
>			(&(gexxxxxunit=Appliances)(uniquemember=gexxxuid=$gexxxuid.get(0),ou=ge
>			]]>
>		</dc:FilterTemplate>
>		<dc:ReturnAttributes>displayname</dc:ReturnAttributes>
>		<dc:LDAPProperty name="java.naming.ldap.factory.socket"
>		<dc:ConnectionPool
>			minPoolSize="1"
>			maxPoolSize="8"
>			blockWhenEmpty="true"
>			blockWaitTime="PT5S"
>			expirationTime="PT10M"/>
>	</resolver:DataConnector>
>To unsubscribe from this list send an email to
>users-unsubscribe at
>To unsubscribe from this list send an email to
>users-unsubscribe at
>To unsubscribe from this list send an email to
>users-unsubscribe at

More information about the users mailing list