Since you're going to have to eventually, I would advise switching to the UnboundID provider [1] and seeing if the behavior is any better or different before spending more time on it. -- Scott [1] https://wiki.shibboleth.net/confluence/display/IDP30/LDAPonJava%3E8