SAML Authentication using LDAP groups

Cantor, Scott cantor.2 at
Wed Dec 2 09:46:25 EST 2015

On 12/2/15, 8:46 AM, "users on behalf of Cahill, Charles (GE Appliances)" <users-bounces at on behalf of Charles.Cahill at> wrote:

>I was able to then configure the Apache Service Provider Shib.conf to limit who can access the website by using this location block.  Keep in mind that the Protected web root is being fed is a variable and so is the group "displayname".

When you use displayName in SAML, that's about a user (the subject of the assertion), not a group. It's going to confuse the heck out of anybody coming after you. I really wouldn't do that.

-- Scott

More information about the users mailing list