Authenticated memberof group

IAM David Bantz dabantz at
Tue May 2 19:21:32 EDT 2017

Shibb developers have built in enormous flexibility into the IdP so you no
doubt implement such a restriction in the IdP, the simplest way I thought
of is Scott's, including the membership in the LDAP search during the
initial authentication (if using jaas.config, userFilter="(&(sAMAccountName

One issue is that that tactic in itself will result in failed
authentication if the user isn't in the group, without indication to user
of why or what to do about it.

Wouldn't it be preferable to have the IdP release an appropriate set of
memberOf values to the SP, and let the SP do authorization and respond
appropriately to the user: "You authenticated, but you do not have access
to this service; here's why or what you do about that..."?

David Bantz

On Tue, May 2, 2017 at 3:10 PM, Cantor, Scott <cantor.2 at> wrote:

> On 5/2/17, 6:36 PM, "users on behalf of Daniel McDonald" <
> users-bounces at on behalf of daniel.mcdonald at> wrote:
> > We'd like to limit who's logging into shibboleth based on not only their
> > password, but if they're in a group as well.
> Then why don't you change your LDAP filter in the authentication check to
> exclude entries that aren't in the group?
> > I can return the "memberOf" attribute with a list of the users groups. I
> > hoped that putting this in the ldap search filter would work but it
> didnt:
> That looks like it's from the attribute resolver. How would that impact
> authentication?
> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list