I'm not clear on the why ldapsearch returns memberOf if the "+" filter is specified and the idp dataconnector does not, but it does work in the idp data connector if I explicitly call it out: <ReturnAttributes>* memberOf</ReturnAttributes> -- Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html