Authenticated memberof group

Lipscomb, Gary glipscomb at
Tue May 2 18:47:52 EDT 2017

You can restrict access to SP's using memberof to determine group membership and then use that group membership in an intercept flow and a relying-party override to deny or allow access.

> -----Original Message-----
> From: users [mailto:users-bounces at] On Behalf Of Daniel
> McDonald
> Sent: Wednesday, 3 May 2017 8:36
> To: Shib Users <users at>
> Subject: Authenticated memberof group
> We'd like to limit who's logging into shibboleth based on not only their
> password, but if they're in a group as well.
> I can return the "memberOf" attribute with a list of the users groups. I hoped
> that putting this in the ldap search filter would work but it didnt:
> (&(mail=$requestContext.principalName)(memberOf=CN=MyGroup,CN=Us
> ers,DC=umass,DC=net))
> Could someone point me in the right direction here?
> Thanks
> --
> To unsubscribe from this list send an email to users-
> unsubscribe at

More information about the users mailing list