SAML Authentication using LDAP groups

Curry, Warren whcurry at
Tue Dec 1 23:27:42 EST 2015

+1. Not sure I understand either...

Sent from my Verizon Wireless 4G LTE DROID
On Dec 1, 2015 5:14 PM, "Bellina, Brendan" <bbellina at> wrote:
Glad you were able to get the behavior you wanted, but I¹m left a bit
confused. This is checking against the user¹s display name attribute
value, not the display name of a group the user is in, right?  I thought
you were trying to determine what groups the user was in.


Brendan Bellina
Identity Mgmt. Architect, IT Services, UCLA

On 12/1/15, 1:29 PM, "users on behalf of Cahill, Charles (GE Appliances)"
<users-bounces at on behalf of Charles.Cahill at> wrote:

>Thank you all for your input on this.  I was able to solve the problem by
>using configurations
>on the Apache side SP.
>Made the below changes in the shib.conf
>Require shib-attr displayname ${DISPLAYNAME}  did the trick.  Now, only
>users with a specific LDAP
>Displayname can access my application.  I am feeding in the
>PROTECTEDAPPROOT AND DISPLAYNAME as variables in docker that are fed into
>the Apache SP code
>I have in github to create an Apache instance with the Shibboleth Service
>Provider installed.
><VirtualHost *:80>
>        ProxyPass /Shibboleth.sso !
>       ProxyPass / ${APPLICATION_ENDPOINT}
>        ProxyPassReverse /Shibboleth.sso !
>       ProxyPassReverse / ${APPLICATION_ENDPOINT}
>       RequestHeader set cn "%{cn}e"
>       RequestHeader set firstname "%{firstname}e"
>       RequestHeader set lastname "%{lastname}e"
>       RequestHeader set email "%{email}e"
>       RequestHeader set uid "%{uid}e"
>       RequestHeader set displayname "%{displayname}e"
>       <Location /Shibboleth.sso>
>         Satisfy Any
>         Allow from all
>       </Location>
>        <Location /${PROTECTEDAPPROOT}>
>                AuthType shibboleth
>                ShibRequestSetting requireSession 1
>                Require shib-attr displayname ${DISPLAYNAME}
>       </Location>
>-----Original Message-----
>From: users [mailto:users-bounces at] On Behalf Of Curry,
>Sent: Tuesday, December 01, 2015 2:44 PM
>To: Shib Users
>Subject: RE: SAML Authentication using LDAP groups
>It would seem that you want to do authorization against groups. Not
>authentication with groups.
>Why not make the  LDAp groups an load an Attribute in you saml2 doc?
>Tthis can then be used to determine authorization..
>Perhaps I am missing something ...
>-----Original Message-----
>From: users [mailto:users-bounces at] On Behalf Of Cahill,
>Charles (GE Appliances)
>Sent: Tuesday, December 01, 2015 10:59 AM
>To: Shib Users <users at>
>Subject: RE: SAML Authentication using LDAP groups
>I am also wondering, could this be handled on the Apache SP side in the
>conf file handling Location information?
>-----Original Message-----
>From: Cahill, Charles (GE Appliances)
>Sent: Tuesday, December 01, 2015 10:24 AM
>To: Shib Users
>Subject: SAML Authentication using LDAP groups
>Hey All:
>       I am looking to do something I believe is unique here with Shibboleth
>and need some help to
>       Understand if it is possible.
>       I need Shibboleth to do Authentication against LDAP groups.  The
>challenge is that LDAP groups
>       contain DN's, not UID information, so the UID must first be gathered and
>the DN pulled out.
>       The groups branch must then be searched with that DN to see what groups
>the user is a member of.
>       The authentication would then need to be done against that information.
>We are doing something
>       Similar with authorization and the code is below.  My question is, can
>scripts be used in the login.config
>       to do something along these lines or are scripts not able to be used
>there.  I would think I need to use
>       requisite and required login modules to make this work as well maybe
>with some variables.
>       Here is our authorization methodology for returning the displayname of a
>group as a header.  I need
>       Not to return this header in some instances but to be able to do full
>authentication based on group   membership.
>               <!--ODSEE LDAP Groups Connector Configs-->
>       <resolver:DataConnector id="slapd-xxxx-user-groups"
>               ldapURL="ldaps://xxxxx  ldaps://xxxxx"
>               principalCredential="xxxxx"
>               principal="xxxxx"
>               connectionStrategy="ACTIVE_PASSIVE"
>               maxResultSize="50"
>               mergeResults="true"
>               baseDN="ou=xxxxxgroups,ou=groups,">
>               <resolver:Dependency ref="" />
>               <resolver:Dependency ref="gexxxuid" />
>               <dc:FilterTemplate>
>                       <![CDATA[
>                       (&(gexxxxxunit=Appliances)(uniquemember=gexxxuid=$gexxxuid.get(0),ou=ge
>                       ]]>
>               </dc:FilterTemplate>
>               <dc:ReturnAttributes>displayname</dc:ReturnAttributes>
>               <dc:LDAPProperty name="java.naming.ldap.factory.socket"
>               <dc:ConnectionPool
>                       minPoolSize="1"
>                       maxPoolSize="8"
>                       blockWhenEmpty="true"
>                       blockWaitTime="PT5S"
>                       expirationTime="PT10M"/>
>       </resolver:DataConnector>
>To unsubscribe from this list send an email to
>users-unsubscribe at
>To unsubscribe from this list send an email to
>users-unsubscribe at
>To unsubscribe from this list send an email to
>users-unsubscribe at

To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list