Authenticated memberof group

[Daniel McDonald]

We'd like to limit who's logging into shibboleth based on not only their 
password, but if they're in a group as well.

I can return the "memberOf" attribute with a list of the users groups. I 
hoped that putting this in the ldap search filter would work but it didnt:

(&(mail=$requestContext.principalName)(memberOf=CN=MyGroup,CN=Users,DC=umass,DC=net))

Could someone point me in the right direction here?

Thanks