SAML Authentication using LDAP groups

Cahill, Charles (GE Appliances) Charles.Cahill at
Wed Dec 2 09:57:16 EST 2015

Understood,  I will change that variable to something other than DisplayName.

"displayname" in our Linux LDAP is really the name of a group.  In Windows Active Directory it is something
else totally but I can see where the confusion may come into play here.


-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: Wednesday, December 02, 2015 9:46 AM
To: Shib Users
Subject: Re: SAML Authentication using LDAP groups

On 12/2/15, 8:46 AM, "users on behalf of Cahill, Charles (GE Appliances)" <users-bounces at on behalf of Charles.Cahill at> wrote:

>I was able to then configure the Apache Service Provider Shib.conf to limit who can access the website by using this location block.  Keep in mind that the Protected web root is being fed is a variable and so is the group "displayname".

When you use displayName in SAML, that's about a user (the subject of the assertion), not a group. It's going to confuse the heck out of anybody coming after you. I really wouldn't do that.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list