Authenticated memberof group

Daniel McDonald daniel.mcdonald at
Wed May 3 16:30:39 EDT 2017

In a normal situation yes we'd like to tell the users why its failing, 
in this particular project though, a failed login with no explanation is 

I was trying to do something like both you and Scott mentioned, changing 
the LDAP search filter to only allow access if they're in a certain 
group. This is shibboleth idp 3.3.1 BTW.

Right now I have this as my CDATA section within my DataConnector which 
successfully matches on the mail attribute. The CDATA values are 
actually a variable %{idp.attribute.resolver.LDAP.searchFilter} in 
attribute-resolver.xml but these are the values it should be reading 
when it runs.

This is successfully authenticating:


I tried this next line but it didnt seem to work, users not in the group 
are able to login:


Should that work?


On 05/02/2017 07:21 PM, IAM David Bantz wrote:
> Shibb developers have built in enormous flexibility into the IdP so 
> you no doubt implement such a restriction in the IdP, the simplest way 
> I thought of is Scott's, including the membership in the LDAP search 
> during the initial authentication (if using jaas.config, 
> userFilter="(&(sAMAccountName={user})(memberOf=CN=MyGroup,CN=Users,DC=umass,DC=net)". 
> One issue is that that tactic in itself will result in failed 
> authentication if the user isn't in the group, without indication to 
> user of why or what to do about it.
> Wouldn't it be preferable to have the IdP release an appropriate set 
> of memberOf values to the SP, and let the SP do authorization and 
> respond appropriately to the user: "You authenticated, but you do not 
> have access to this service; here's why or what you do about that..."?
> David Bantz
> On Tue, May 2, 2017 at 3:10 PM, Cantor, Scott <cantor.2 at 
> <mailto:cantor.2 at>> wrote:
>     On 5/2/17, 6:36 PM, "users on behalf of Daniel McDonald"
>     <users-bounces at
>     <mailto:users-bounces at> on behalf of
>     daniel.mcdonald at <mailto:daniel.mcdonald at>> wrote:
>     > We'd like to limit who's logging into shibboleth based on not
>     only their
>     > password, but if they're in a group as well.
>     Then why don't you change your LDAP filter in the authentication
>     check to exclude entries that aren't in the group?
>     > I can return the "memberOf" attribute with a list of the users
>     groups. I
>     > hoped that putting this in the ldap search filter would work but
>     it didnt:
>     That looks like it's from the attribute resolver. How would that
>     impact authentication?
>     -- Scott
>     --
>     To unsubscribe from this list send an email to
>     users-unsubscribe at
>     <mailto:users-unsubscribe at>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list